A database containing the personal information of more than 1 million people was stolen from NextGen Healthcare, Inc., a provider of cloud-based healthcare technology.
NextGen Heathcare provided a disclosure to the Maine Attorney General’s office that said the breach occurred on March 29 and lasted through April 14. The compromise was discovered on April 24, the company reported.
The compromise occurred due to “unauthorized access to database stemming from use of stolen client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen,” the healthcare technology provider said.
NextGen’s disclosure indicated the databased contained “name or other personal identifier in combination with Social Security Number.”
NextGen had not responded to Dark Reading’s request for comment at the time of this post.
NextGen Breach Follow-on Attacks Likely
The NextGen breach poses a major threat to its victims, according to Tom Kellermann, senior vice president of cyber strategy at Contrast Security.
“This is a massive cybercrime which will result in widespread identity theft,” Kellermann said in a statement provided to Dark Reading. “Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII.”
In 2021, there were more data breaches of healthcare-related organizations than any other sector, accounting for 24% of all cybersecurity incidents, according to Steve Gwizdala, vice president of healthcare at ForgeRock.
“Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online — across the entire supply chain,” Gwizdala said in a statement.
Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as “Crypter” and “FUD.” Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesn’t matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packer’s wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.
According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.
Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including “TrickGate,” “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter.”
At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,
including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.
One of the most dominating threats in the current cyberspace era is ransomware which is constantly affecting organizations of all sizes. In order to cast a wider net of potential targets, attackers are constantly changing their tactics and expanding their tradecraft to make sure that they are successful.
As a result of ransomware attacks, a wide range of industries, systems, and platforms are being affected. When it comes to protecting hybrid devices and working environments at work today, it is vital to understand how ransomware works across these systems and platforms.
In contrast to other platforms, Mac ransomware tends to rely substantially on user assistance such as downloading and running fake applications or trojanized programs to infect computers.
Unveiling the TTPs of Ransomware
During ransomware campaigns, the attackers typically gain access to a target device, execute the malware, encrypt the files belonging to the target, and inform the target of a ransom demand and request for payment.
The following steps are taken by malware creators in order to accomplish these objectives:-
Abuses legitimate functionalities
Devise various techniques to exploit vulnerabilities
Evade defenses
Force users to infect their devices
Microsoft analyzed the following four Mac ransomware families:-
KeRanger
FileCoder
MacRansom
EvilQuest
Technical Analysis
It is important for ransomware to target which files to encrypt in order to gain the greatest amount of success. Based on Microsoft’s observations, ransomware families enumerate files and directories in several different ways on Mac as follows:-
Using the Find binary
Using library functions opendir, readdir, and closedir
Using the NSFileManager class through Objective-C
The primary goal of malware creators is to prevent or evade the analysis of files by either the human analyst or an automated analysis system.
Among the ransomware families discussed above, either hardware-based checks are employed to ensure that the ransomware is not detected, or special code is made to prevent analysis of the ransomware.
As far as hardware-based checks are concerned, they are the following:-
Checking a device’s hardware model
Checking the logical and physical processors of a device
Checking the MAC OUI of the device
Checking the device’s CPU count and memory size
Among the checks related to the code are the following:-
Delayed execution
PT_DENY_ATTACH (PTRACE)
P_TRACED flag
Time-based check
It is quite common for malware to use persistence to make sure it continues to run even after the system has been restarted.
The EvilQuest and MacRansom ransomware families, among the Mac ransomware families that have been analyzed, have both utilized persistence techniques.
As a result, these malware families use a variety of persistence techniques to maintain their presence in the system. And here below we have mentioned the persistence techniques:-
Creating launch agents or launch daemons
Using kernel queues
There are often similarities in the anti-analysis and persistence techniques of the ransomware families that we have analyzed. There is, however, a difference in the encryption logic between these ransomware families.
The encryption of files is often done using AES-RSA algorithms, while other techniques are used, such as system utilities, XOR routines, or custom algorithms.
The methods for encrypting data vary from adding a patch in place to deleting the original file and creating a new one in its place. As part of its implementation of in-memory execution, EvilQuest uses the following APIs:-
NSCreateObjectFileImageFromMemory – used for creating an object file image from the data present in memory
NSLinkModule – used to link the object file image
NSLookupSymbolInModule – used for looking for a specific symbol
NSAddressOfSymbol – used to get the address of the symbol.
Recommendation
It is possible for defenses to mitigate the impact of ransomware attacks by taking the following mitigation steps:-
Do not install apps from sources other than the official app store of the software platform.
Protect privileged resources by restricting access to them.
Use a web browser that supports Microsoft Defender SmartScreen, such as Microsoft Edge.
Keep your operating system and applications up-to-date by installing the latest versions of them.
On your Mac, make sure you are using Microsoft Defender for Endpoints.
Ransomware strikes businesses every 11 seconds. The ransomware attack volume is already at record levels, but we’re hearing it’s only getting worse.
As some victims managed to take precautions and refused to pay the ransom, attackers began to add more layers to their attacks.
Double extortion ransomware became a common tactic in 2021. But in 2022, the attackers presented an innovation in their attacking technique called triple extortion.
What is triple extortion ransomware attack, and how to protect your business? Read on to find out.Â
What is Double extortion ransomware?
It is becoming increasingly common for attackers to use ransomware to extort money from businesses and individuals. This type of cybercrime is called “double extortion.”
Here the criminals encrypt the victim’s data and threaten to release it publicly if a ransom is not paid.
As soon as the attacker exfiltrates the data they wish to leverage, they launch the encryption attack. Next, the attacker threatens to expose the data, possibly selling personal data about customers.
In most cases, even organizations that have paid the ransom have found their data to be leaked.
In September 2022, SunCrypt ransomware used DDoS as an additional attack layer. Attackers threaten to overwhelm the victim’s server with traffic if the ransom is not paid.
Malicious actors like Avaddon and REvil soon started to follow the same tactic. Adding DDoS extortion attacksis expected to continue, given the increased use of IoT devices and the surge in bitcoins.
What is Triple Extortion Ransomware Attack?
In triple extortion, attackers demand payment from the company that was initially compromised and those whose information was stolen.
The first case of triple extortion was observed when Vastaamo, a Finland-based psychotherapy clinic, was breached. Even after the clinic paid the ransom, attackers threatened the therapy patients with releasing their session notes.
Another instance of triple extortion occurred last year when the attacker targeted Apple after their first victim, hardware supplier Quanta, refused to pay.
In this case, criminals proved they could compromise key suppliers if they gained leverage over the initial victim.
Remember, such an assault can cause irreparable damage to the reputation of any company, regardless of the industry.
Leading Causes of Double and Triple Extortions
The main factors that contribute to the increase in double and triple extortions include:
The proliferation of ransomware-as-a-service (RaaS) platforms has made it easier for attackers to launch these attacks.
Using cryptocurrency has made it more difficult for law enforcement to trace and track payments.
The emergence of new ransomware strains specifically designed for double and triple extortions.
Who is vulnerable to Triple extortion ransomware?
Attackers targets companies with inadequate cybersecurity solutions and less mature security teams. They also prey on companies that can pay the ransom demands.
The most obvious targets for ransomware operations are companies and organizations that store client or customer data.
Whenever a corporation owns or controls important data or is connected to one, they risk triple extortion.
How to prevent triple extortion ransomware attacks?
Many ransomware attacks remain undetected and unreported until they reach the domain controller. A detection-centric approach will only warn businesses of attacks that are already underway. The most effective course of action is prevention.
Here are effective ways to prepare against triple extortion attacks:
Keep your network secure
Double extortion ransomware uses the same methods to access your network as traditional ransomware. To prevent initial access to a network, train employees on security awareness, establish password policies and implement multi-factor authentication.
Run vulnerability assessments and patch known vulnerabilities regularly to avoid compromise.
Back up Data
If an attacker infiltrates your network, an offline backup can protect you from the first part of a ransomware attack: data recovery.
Furthermore, encrypt your data to prevent a double extortion attack. It ensures that, if stolen, the ransomware group cannot read it.
Cyber Threat Intelligence
Threat Intelligence is a key pillar in the cyber security stack. Gathering information related to cyber threats provides insights into threat actors and methodologies that could impact your business.
Stay ahead of the latest threat intelligence to detect and analyze threats. Hunt for signs of compromise that lead to a ransomware attack.
Proper DDoS Protection
The DDoS attack is now on the list of services the RaaS operator offers. You should protect your company’s network and server with a DDoS security solution. It tracks the incoming traffic, identifies the malicious requests, and diverts them away from your network and server.
With sophisticated techniques, attackers are dispersing their DDoS attacks. Indusface offers DDoS protection solutions, enabling you to customize mitigation thresholds to isolate and block attacks.Â
Conclusion
Cybercriminals continue to evolve their attack techniques; you can’t fall behind and expose your assets.
If you are at risk of a triple extortion attack, paying the ransom is not the way out. Focus on preventing and mitigating attacks as they happen.
The best solution would be to prevent the attack from happening in the first place. A comprehensive ransomware resilience plan is essential for preparation, prevention, and response.
More good news: We know how ransomware “gangs” work and, for the most part, what they’re after.
Ransomware is opportunistic and the barriers to entry for operators are relatively low as the tools, infrastructure, and access that enables these attacks have proliferated across various online illicit communities through the ransomware-as-a-service (RaaS) model. Ransomware affiliates can rent the malware and be paid a commission from the victim’s extortion fee.
Initial access brokers—i.e. threat actors who sell ransomware operators and affiliates access into victim networks—are constantly scanning the internet for vulnerable systems. Leaked credentials from breaches and other cyber incidents can lead to brute force or credential stuffing attacks. Employees need to constantly be aware of increasingly sophisticated social engineering schemes. Threat actors can use any of these mechanisms to breach systems, escalate privileges, move laterally, and ideally take actions on objectives, dropping that malware on a victim’s network and encrypting all of their files.
But one of the most effective ways to stop a ransomware attack is to deny them access in the first place; without access, there is no attack. The adversary only needs one route of access, and yet the defender has to be aware and prevent all entry points into a network. Various types of intelligence can illuminate risk across the pre-attack chain—and help organizations monitor and defend their attack surfaces before they’re targeted by attackers.
Vulnerability intelligence
The best vulnerability intelligence should be robust and actionable. For instance, with vulnerability intelligence that includes exploit availability, attack type, impact, disclosure patterns, and other characteristics, vulnerability management teams predict the likelihood that a vulnerability could be used in a ransomware attack.
With this information in hand, vulnerability management teams, who are often under-resourced, can prioritize patching and preemptively defend against vulnerabilities that could lead to a ransomware attack.
Threat intelligence
Having a deep and active understanding of the illicit online communities where ransomware groups operate can also help inform methodology, and prevent compromise. Organizations must be able to monitor for, and be alerted to, stolen login credentials before they reach criminal actors. This intelligence can mitigate account takeover and break the chain leading to brute force or credential stuffing attacks.
Technical intelligence
When cyber threat actors successfully infiltrate your network, the subsequent attack is not always immediate; sometimes, they will install tools that can help them further invade and seek access to the most valuable data. Technical intelligence helps security teams detect indicators of compromise, or IOCs, and the presence of Cobalt Strike beacons, which can unknowingly be present in your systems and later help a ransomer carry out an attack.
Prevention through preparedness
In order to help employees and executives understand various ransomware-related risks, organizations should seek to implement tabletop exercises designed by companies with expertise preparing for, and responding to, a ransomware event. These simulated scenarios should cover how to spot (and report) social engineering schemes like phishing attacks, which lure employees to click on links or interact with harmful attachments that could allow ransomware malware to be deployed on company devices.
By spending time building out and rehearsing a response plan prior to an attack scenario, your team will be equipped with informed decision-making during a ransomware-related emergency. But rest assured: It’s best to have the right intelligence at-hand, including the data, expert insights, and tools that can help to prevent an attack in the first place and keep your organization running without interruption.
Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.
Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.
It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.
What is BazarCall?
BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.
In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.
NJVC has been added to the victim list of the BlackCat (ALPHV) ransomware gang. NJVC provides IT support to the US government’s intelligence and defense organizations.
With annual revenue of over $290 million, the company NJVC has a very impressive record. It is claimed that the BlackCat Ransomware Gang has hacked the Department of Defense of the United States of America.
DarkFeed, a deep web intelligence company that operates on the dark web, spotted the message on 28 September. There was a breach declaration provided by BlackCat, which resulted in its immediate suspension. TheRegister said.
Until 30 September, the Dark Web site that hosted BlackCat’s leak site was accessible. NJVC is no longer listed as a victim of the gang and has been removed from its website.
“We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,” ALPHV said, per the screenshot.
Earlier today it was reported that ALPHV ransomware group had breached a United States Department of Defense contracting company which provides IT infrastructure services.
In late 2021, the first outbreaks of BlackCat ransomware were observed, and the Rust programming language was used in BlackCat.
Ransomware-as-a-service (RaaS) is one of the business models operated by this organization, just like so many others in the criminal underworld.
A number of prominent ransomware families are known to have been used by threat actors who started deploying BlackCat ransomware.
Here below we have mentioned those ransomware families:-
Conti
LockBit
REvil
Darkside and Blackmatter ransomware cartels are linked with the BlackCat cartel. This group may have a well-established network with close ties to the ransomware industry in the case of the ransomware business.
As one of the most active ransomware gangs in recent years, BlackCat has been among the most prominent. It is estimated that in 2022, near about 12% of all attacks were perpetrated by this group.
It is estimated that the group’s activity has increased by 117% since the quarter before, in comparison with the quarter prior. Moreover, as part of the group’s strategy, high-profile, critical industries are being targeted by the group.
The Italian luxury sports car manufacturer Ferrari confirmed the availability of internal documents online, but said it has no evidence of cyber attack.
Documents belonging to the Italian luxury sports car manufacturer Ferrari are circulating online, the company confirmed their authenticity stating it is not aware of cyber attacks.
Ferrari is investigating the leak of the internal documents and announced it will implement all the necessary actions.
While the circumstance suggests the company could have suffered a ransomware attack, the car manufacturer that it has no evidence of a compromise of its systems or ransomware, it also added that its business and operations were not impacted.
The news of the alleged cyber attack was first reported by the Italian website Red Hot Cyber which first reported that the ransomware gang RansomEXX claimed to have breached the popular car maker on its Tor leak site.
The ransomware group claimed to have stolen 6.99GB of data, including internal documents, datasheets, repair manuals, etc.
The source of the documents is still unclear. In the past, the ransomware gang Everest breached the systems of the Speroni SPA, a company in the supply chain of multiple car makers, including Ferrari and leaked company documents online.
No, not all ransomware attacks unfold in the way you might expect.
Most contemporary ransomware attacks involve two groups of criminals: a core gang who create the malware and handle the extortion payments, and “members” of a loose-knit clan of “affiliates” who actively break into networks to carry out the attacks.
Once they’re in, the affiliates then wander around the victim’s network, getting the lie of the land for a while, before abruptly and often devastatingly scrambling as many computers as they can, as quickly as they can, typically at the worst possible time of day.
The affiliates typically pocket 70% of the blackmail money for any attacks they conduct, while the core criminals take an iTunes-ike 30% of every attack done by every affiliate, without ever needing to break into anyone’s computers themselves.
That’s how most malware attacks happen, anyway.
But regular readers of Naked Security will know that some victims, notably home users and small business, end up getting blackmailed via their NAS, or networked attached storage devices.
Plug-and-play network storage
NAS boxes, as they are colloquially known, are miniature, preconfigured servers, usually running Linux, that are typically plugged directly into your router, and then act as simple, fast, file servers for everyone on the network.
No need to buy Windows licences, set up Active Directory, learn how to manage Linux, install Samba, or get to grips with CIFS and other network file system arcana.
NAS boxes are “plug-and-play” network attached storage, and popular precisely because of how easily you can get them running on your LAN.
As you can imagine, however, in today’s cloud-centric era, many NAS users end up opening up their servers to the internet – often by accident, though sometimes on purpose – with potentially dangerous results.
Notably, if a NAS device is reachable from the public internet, and the embedded software, or firmware, on the NAS device contains an exploitable vulnerability, you could be in real trouble.
Crooks could not ony run off with your trophy data, without needing to touch any of the laptops or mobile phones on your network, but also modify all the data on your NAS box…
…including directly rewriting all your original files with encrypted equivalents, with the crooks alone knowing the unscrambling key.
Simply put, ransomware attackers with direct access to the NAS box on your LAN could derail almost all your digital life, and then blackmail you directly, just by accessing your NAS device, and touching nothing else on the network.
They don’t bother attacking Windows computers, Mac laptops, mobile phones or tablets; they just go straight for your main repository of data.
(You probably turn off, “sleep”, or lock most of your devices at night, but your NAS box probably quietly runs 24 hours a day, every day, just like your router.)
By targeting vulnerabilities in the products of well-known NAS vendor QNAP, the DEADBOLT gang aims to lock everyone else on your network out of their digital lives, and then to squeeze you for several thousands dollars to “recover” your data.
After an attack, when you next try to download a file from the NAS box, or to configure it via its web interface, you might see something like this:
In a typical DEADBOLT attack, there’s no negotiation via email or IM – the crooks are blunt and direct, as you see above.
In fact, you generally never get to interact with them using words at all.
If you don’t have any other way to recover your scrambled files, such as a backup copy that’s not stored online, and you’re forced to pay up to get your files back, the crooks expect you simply to send them the money in a cryptocoin transaction.
The arrival of your bitcoins in their wallet serves as your “message” to them.
In return, they “pay” you the princely sum of nothing, with this “refund” being the sum total of their communication with you.
The “refund” is a payment worth $0, submitted simply as a way of including a bitcoin transaction comment.
That comment consists of 16 apparently random data bytes, seen encoded as 32 hexadecimal characters in the screenshot below, which constitute the AES decryption key you will use to recover your data:
From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data.Â
Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn’t received. Â
The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.
Cybersecurity agencies warn that despite networks being encrypted, victims shouldn’t pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.
Despite this, the unidentified organisation chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later – providing a lesson in why you should never trust cyber criminals.
Cybersecurity responders from Barracuda helped the victim isolate the infected systems, bring them back online, and restore them from backups.
Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA was what helped the attackers gain and maintain access to accounts in the first place.Â
Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the course of the last year. However, the report suggests there are reasons for optimism.Â
“The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure,” it said.
In addition to applying MFA, organisations can take other actions to help secure their network against ransomware and cyberattacks, including setting up network segmentation, disabling macros to prevent attackers exploiting them in phishing emails, and ensuring backups are stored offline.Â
It’s also recommended that organisations apply security updates as quickly as possible to stop attackers targeting known vulnerabilities to gain access to accounts and networks.Â
When your company’s data is leveraged in a cyber extortion attack, a quick determination must be made about the nature and extent of the attack, followed by the execution of plans to respond to and mitigate the attack. Because the longer a ransomware attack remains unaddressed, the more potential damage there could be to your organization’s ability to conduct business as usual.
While an organization’s ultimate goal is the total prevention of an attack, mitigation is a likelier (and perhaps more reasonable) goal, and organizations should prioritize preparedness just as much as prevention. Prevention includes the implementation of best practices and measures that can stop ransomware events from happening while also positioning the organization to sustain as little as damage as possible, should an attack occur.
Ransomware readiness can be divided into three major components: preparation, detection and isolation.
Preparation
Your organization’s ability to respond to a ransomware event is directly affected by the tools you have readily available to you in the moment, which makes preparation a key part of successfully navigating an attack. Good preparation works twofold to educate your teams on how to prevent attacks, and to provide guidance on what to do in case you are targeted.
The following are some of the components you may wish to include as you map out your organization’s planning around cyber extortion attacks.
Create an Incident Response playbook that contains all relevant information related to responding to a ransomware attack.
Regularly hold mandatory training sessions for employees to educate them on how to prevent giving threat actors access to company systems to carry out an attack. The importance of password hygiene, warning signs of email phishing, and best practices for online safety may be among the topics covered.
Empower employees to help prevent attacks by providing them with protocols and resources to report suspicious activity and voice their concerns if they feel there is a risk that needs to be addressed.
Detection
Detection refers to the tools, technology, people, and processes in place to notice that attack is happening or has occured, and to identify its source within the network. Specific subcomponents of detection include:
Having a robust system of platforms configured to monitor your networks and alert you if suspicious activity occurs, such as the appearance of a known ransomware file extension or the rapid renaming of a large volume of files, which can signal that they’re being encrypted.
Fueling your threat intelligence program with easily accessible and updated knowledge about specific ransomware actors/groups and tactics, techniques, and procedures (TTPs)—including technical intelligence—to better anticipate potential risk apertures and attacks.
Implement multi-factor authentication to reduce the likelihood of ransomers gaining unauthorized access to your systems.
Isolation
To limit its spread, isolation should be your organization’s first priority after you realize a ransomware attack is targeting your organization. Designing your systems in a way that separates different networks can be very impactful when every second counts. Specific subcomponents of isolation include:
Limiting any individual employee’s access to only the files and data they must have to do their jobs.
Shutting down infected systems and completely disconnecting them from your organization’s network as quickly as possible.
Disabling means of spreading potentially harmful data among devices, including VPN, NAC, and AD-user.
Responding to an ransomware attack
Once you have successfully caught and halted a ransomware attack’s progression, it is critical to have a response plan already in place to help you save time making decisions and keep emotional reactions in check, which can occur during a potential emergency. It can be difficult to determine the full scope of a ransomware attack, and the more data that the threat actor extorts or encrypts, the longer it may take to understand the nature of the breach.
ALPHV/BlackCat ransomware group began publishing victims’ data on the clear web to increase the pressure on them and force them to pay the ransom.
ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victims’ data on the clear web to increase the pressure. Publishing data online will make data indexable by search engines, increasing the potential impact on the victims due to the public availability of the stolen data.
The ALPHA/BlackCat gang has been active since at least December 2021 when malware researchers from Recorded Future and MalwareHunterTeam discovered their operation. The ALPHA/BlackCat is the first professional ransomware strain that was written in the Rust programming language.
BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.
Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.
ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.
In the past, many victims of past ransomware attacks were not concerned about the publication of their data on a leak site in the Tor network believing that dark nets are not easy to access to the masses.
The ransomware gangs set up a website on the clear web for each victims and publish the stolen data on it.
It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.
Mandiant: “No evidence” we were hacked by LockBit ransomware
American cybersecurity firm Mandiant is investigating LockBit ransomware gang’s claims that they hacked the company’s network and stole data.
The ransomware group published a new page on its data leak website earlier today, saying that the 356,841 files they allegedly stole from Mandiant will be leaked online.
“All available data will be published!” the gang’s dark web leak site threatens under a timer showing just under three hours left until the countdown ends.
LockBit has yet to reveal what files it claims to have stolen from Mandiant’s systems since the file listing on the leak page is empty.
However, the page displays a 0-byte file named ‘mandiantyellowpress.com.7z’ that appears to be related to a mandiantyellowpress.com domain (registered today). Visiting this page redirects to the ninjaflex.com site.
When BleepingComputer reached out for more details on LockBit’s claims, the threat intel firm said it hadn’t yet found evidence of a breach.
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops,” Mark Karayan, Mandiant’s Senior Manager for Marketing Communications, told BleepingComputer.
Mandiant says it's looking into Lockbit ransomware gang's claims:
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.” pic.twitter.com/JLM5ob1yCi
These claims come after Mandiant revealed in a report published last week that the Russian Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade U.S. sanctions.
Mandiant announced in March that it entered into a definitive agreement to be acquired by Google in an all-cash transaction valued at roughly $5.4 billion.
The LockBit ransomware gang has been active since September 2019 as a ransomware-as-a-service (RaaS) and relaunched as the LockBit 2.0 RaaS in June 2021 after ransomware actors were banned from posting on cybercrime forums [1, 2].
Accenture, a Fortune 500 company and one of LockBit’s victims, confirmed to BleepingComputer in August 2021 that it was breached after the gang asked for a $50 million ransom not to leak data stolen from its network.
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced the formation of a joint ransomware task force, plans for which were originally outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Easterly announced the news at an Institute for Security and Technology (IST) event on May 20 in Washington, D.C., and also said the task force would have its first official meeting within the next few months.
“We’re very excited about it,” Easterly said during an event interview. “We think that this will actually build really nicely on the infrastructure and the scaffolding that we’ve developed with the [Joint Cyber Defense Collaborative] to use what we have as part of the federal cyber ecosystem and the companies that are part of the JCDC alliance to plug into the hub as envisioned in the Ransomware Task Force Report.”
She added that the FBI will co-chair the task force, which means the operational leads will be Eric Goldstein, CISA’s head of cyber and Bryan Vorndran, the assistant director of the FBI’s Cyber Division.
CIRCIA’s Reporting Requirements
Passed as part of the omnibus spending bill in March, CIRCIA focuses on critical infrastructure companies—ranging from financial services firms to energy companies, or other entities where a cybersecurity event would impact economic security or public health and safety.
CIRCIA would require these entities to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.
The Institute for Security and Technology issued a report last year that included a framework to combat the rising threat of ransomware.
Former State Department cybersecurity coordinator Chris Painter, also a co-chair of the ransomware task force working groups, explained during the IST event that combating ransomware threats requires a high degree of coordination and cooperation between government agencies.
“Establishing the new task force signals that this issue continues to be a priority and is a recognition that combating ransomware will take a sustained, long-term effort,” he said. “It should work to leverage federal and private sector capability to disrupt the major ransomware actors in any way possible.”
Easterly said the focus would be on operationalizing progress in an agile way and disrupting these bad actors, with CISA on the resilience/defense side.
“We want to work with all of our partners across the federal cyber ecosystem and the industry to actually be able to go after these actors in a very agile way at scale,” she said.
She said the days of holding threat report briefings on a quarterly basis are long over; it is no longer a realistic way of protecting critical infrastructure threats.
“We all have to be in the room all the time, sharing information constantly so that we can create that picture together, because it’s very likely that industry is going to see a cyberattack on the homeland before we see it,” Easterly said. “So, we have to be in the same room—we have to trust each other.”
Beyond Ransomware
The event also featured a keynote address from Deputy Attorney General Lisa Monaco, who announced twin initiatives from the Department of Justice.
The first is aimed at tackling illegal cryptocurrency transactions while the second concerns the establishment of a cybersecurity operations international liaison position to speed up international operations aimed at disrupting the activities of cybersecurity threat actors globally
“We’ve got to evolve to keep pace with the threat and the nation-states and criminal actors driving it,” Monaco said.
Matthew Warner, CTO and co-Founder at Blumira, a provider of automated threat detection and response technology, said as attacks against businesses and infrastructure have continued to grow, so has the impact of these attacks.
“Ransomware is a systemic risk to all computing at this point, which requires a unique response from governments,” he said. “To do this, however, requires a task force that can respond in a way that we have not seen before in cybersecurity.”
He explained if governments wanted to defend their and their allies’ infrastructures—commercial or not—then reducing ransomware across the globe is paramount.
Alex Ondrick, director of security operations at BreachQuest, an incident response specialist, noted that information-sharing and trust-building between government and private business is long overdue by at least a decade, but that initiatives such as JRTF could improve upon a growing private-public partnership.
“Governments have come to increasingly rely on the private sector, yet governments are only just beginning to reciprocate information-sharing,” he said. “Given new legislation and interest, CISA’s JRTF has an opportunity to increase the lines of communication and improve information-sharing.”
Ondrick added that an increasingly decentralized ransomware threat landscape has created an opportunity for more ransomware-as-a-service (RaaS) attackers and more ransomware attacks overall.
“Ransomware has become a key fixture of cybercrime as we move towards a post-COVID-19 world, and ransomware—as related to critical infrastructure—continues to evolve,” he said. “Preventing a ransomware attack against critical infrastructure is of the utmost seriousness and urgency.
Regarding the DoJ’s initiative tackling illegal cryptocurrency transfers, Warner pointed out that the nature of blockchain—and therefore, cryptocurrencies—means every transaction is available for the world to see.
“While attackers will try to move this money around through tumblers, in the end, it must end up somewhere to convert to usable currency,” he said. “Government and NGO initiatives have the opportunity to track cryptocurrency use and look for clusters of ransomware payments being funneled through the blockchain.”
If the target wallets and/or transfers in and out of these potential ransomware wallets can be identified, then governments can disrupt the actors by seizing cryptocurrency from them—this was the case when the U.S. seized $30 million in cryptocurrency from the NetWalker ransomware group in early 2021.
“Ransomware will only continue to grow, as will new attacks leveraged by ransomware, which means that not only the government but also all private entities must level up quickly to defend properly,” Warner said.
At least 60 entities worldwide have been breached by BlackCat ransomware, warns a flash report published by the U.S. FBI.
The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November.
“The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.”
The BlackCat/ALPHV a Ransomware was first discovered in December by malware researchers from Recorded Future and MalwareHunterTeam. The malware is the first professional ransomware strain that was written in the Rust programming language.
BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.
Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.
According to the alert, many of the developers and money launderers for gang are linked to Darkside/Blackmatter operations.
ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.
ALPHV is attempting to recruit affiliates for its operations, offering them between 80% and 90% of the final ransom, depending on its value. The BlackCat operations only hit a small number of victims at this time in the USA, Australia, and India.
Ransom demands range from a few hundreds of thousands up to $3M worth of Bitcoin or Monero.
The alert includes indicators of compromise (IoCs) associated with BlackCat/ALPHV, as of mid-February 2022.
The FBI is seeking any information that can be shared related to the operations of the BlackCat ransomware operation.
Below are recommended mitigations included in the alert:
Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
Review antivirus logs for indications they were unexpectedly turned off.
Implement network segmentation.
Require administrator credentials to install software.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
Use multifactor authentication where possible.
Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
Implement the shortest acceptable timeframe for password changes.
Kaspersky discovered a flaw in the encryption process of the Yanluowang ransomware that allows victims to recover their files for free.
Researchers from Kaspersky discovered a vulnerability in the encryption process of the Yanluowang ransomware that can be exploited to recover the files encrypted by the malware without paying the ransom.
The Yanluowang ransomware was first spotted by researchers from Symantec Threat Hunter Team in October 2021, the malware was used in highly targeted attacks against large enterprises.
The discovery is part of an investigation into an attempted ransomware attack against a large organization.
Kaspersky implemented the decrypting process for the Yanluowang ransomware in its RannohDecryptor tool. In order to decrypt their files, victims of this family of ransomware should have at least one original file.
“Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack.” reads the post published by the company.
The Yanluowang ransomware uses different encryption routines depending on the size of the files.
Files greater than 3GB using are partially encrypted in stripes, 5MB after every 200MB, while files smaller than 3GB are completely encrypted from beginning to end.
For this reason, to decrypt files the following conditions must be met:
To decrypt small files (less than or equal to 3 GB), users need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
To decrypt big files (more than 3 GB), users need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.
“By virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.” continues the post.
The Symantec researchers noticed the use of the legitimate AdFind command line Active Directory query tool that is often abused by ransomware operators as a reconnaissance tool.
Before being deployed on compromised devices, the attackers launch a malicious tool designed to prepare the environment with the following actions:
Creates a .txt file with the number of remote machines to check in the command line
Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
Logs all the processes and remote machine names to processes.txt
The analysis of the samples collected by the experts revealed that the Yanluowang ransomware uses the Windows API for encryption.
Upon deploying the Yanluowang ransomware, it will stop hypervisor virtual machines, end all processes logged by the above tool (including SQL and back-up solution Veeam), then it will encrypt files. The ransomware appends the .yanluowang extension to the filenames of the encrypted files.
The ransom note (README.txt) dropped on the infected machine warns the victims not to contact law enforcement or ask ransomware negotiation firms for help. The ransomware operators will launch distributed denial of service (DDoS) attacks against the victim if it will not respect their rules. The ransomware operators also threaten to make calls to employees and business partners to damage the brand reputation of the victims, along with targeting again the victim in a few weeks and delete its data.
A Ukrainian security researcher has leaked more source code from the Conti ransomware operation to protest the gang’s position on the conflict.
Hacker leaked a new version of the Conti ransomware source code on Twitter as retaliation of the gang’s support to Russia
The attack against the Conti ransomware and the data leak is retaliation for its support for the Russian invasion of Ukraine.
The attack will have a significant impact on the operation of the gang, considering also that many of Conti’s affiliates are Ukrainian groups.
Recently a Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia. He was able to access the database XMPP chat server of the Conti group.
In a second round, the expert leaked the old source code for the Conti ransomware encryptor, decryptor, and builder, along with the administrative panel and the BazarBackdoor API. The leaked old Conti ransomware source code is dated September 15th, 2020.
The source code for the ransomware is contained in a password-protected archive, despite the researcher did not leak the password, another expert cracked it and share it.
The public availability of the source code could temporarily destroy the Conti ransomware operation because security experts could perform reverse engineering to determine how it works and develop a working decrypted.
On the other side, other threat actors could perform reverse engineering to develop their own version of the threat, a circumstance that opens to worrisome scenarios.
Now the Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation, the code is dated January 25th, 2021.
The code appears to be more recent than the previous leak, according to Bleeping Computer Conti Leaks uploaded the source code for Conti version 3 to VirusTotal and shared a link on Twitter.
“The source code compiles without error and can be easily modified by other threat actors to use their own public keys or add new functionality.” reported BleepingComputer. “BleepingComputer compiled the source code without any issues, creating the cryptor.exe, cryptor_dll.dll, and decryptor.exe executables.”
Chipmaker giant Nvidia confirmed a data breach after the recently disclosed security incident, proprietary information stolen.
The chipmaker giant Nvidia was recentty victim of a ransomware attack that impacted some of its systems for two days. The security breach is not connected to the ongoing crisis in Ukraine, according to a person familiar with the incident.
The incident also impacted the company’s developer tools and email systems, but business and commercial activities were not affected.
“Our business and commercial activities continue uninterrupted,” Nvidia said in a statement. “We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.”
The Lapsus$ ransomware gang is claiming responsibility for this attack, the group announced to have stolen 1 TB of data from Nvidia’s network. The ransomware gang leaked online around 20GB of data, including credentials for all Nvidia employees.
The company launched an investigation into the incident to determine the extent of the intrusion that confirmed that the attackers have stolen data from the chipmaker.
NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday.
The chipmaker giant discovered the intrusion on February 23, the attack also impacted its IT resources.
“Access to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,” the group claimed in a subsequent message.” the LAPSU$ ransomware gang wrote on its Telegram change. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts.”
Lapsus$ claim responsibility for the hack on Nvidia – and also claim that Nvidia successfully hacked back. pic.twitter.com/F8ocpB6Qev
Below is the statement shared by NVIDIA with some websites and published by BleepingComputer.
“On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.” reads the statement. “We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.”
