A critical vulnerability (CVE-2023-27532) in Veeam Backup & Replication software is being actively exploited by a new ransomware group known as FRAG. This flaw allows unauthorized attackers to access backup infrastructure and steal sensitive data, which can lead to double extortion tactics. The FRAG ransomware gang has been observed leveraging this flaw to gain initial access to networks before encrypting data and demanding ransom payments.
Key points include:
The vulnerability enables access by exposing credential information in plaintext.
Attackers use this as a foothold to compromise the broader infrastructure.
Users are strongly urged to patch Veeam installations to prevent exploitation.
The post highlights the importance of updating security measures to defend against such targeted ransomware campaigns.
Recently, there has been an emergence of a new scam targeting victims of ransomware attacks. This scam involves individuals or groups posing as âsecurity researchersâ or âethical hackers,â offering to delete data stolen by ransomware attackers for a fee. The scam plays on the fears and vulnerabilities of organizations already compromised by ransomware attacks, such as those by the Royal and Akira ransomware gangs.
The modus operandi of these scammers is quite consistent and alarming. They approach organizations that have already been victimized by ransomware and offer a service to hack into the servers of the ransomware groups and delete the stolen data. This proposition typically comes with a significant fee, sometimes in the range of 1-5 Bitcoins (which could amount to about $190,000 to $220,000).
These scammers often use platforms like Tox Chat to communicate with their targets and may go by names like âEthical Side Groupâ or use monikers such as âxanonymoux.â They tend to provide âproofâ of access to the stolen data, which they claim is still on the attackerâs servers. In some instances, they accurately report the amount of data exfiltrated, giving their claims an air of credibility.
A notable aspect of this scam is that it adds an additional layer of extortion to the victims of ransomware. Not only do these victims have to contend with the initial ransomware attack and the associated costs, but they are also faced with the prospect of paying yet another party to ensure the safety of their data. This situation highlights the complexities and evolving nature of cyber threats, particularly in the context of ransomware.
Security experts and researchers, like those from Arctic Wolf, have observed and reported on these incidents, noting the similarities in the tactics and communication styles used by the scammers in different cases. However, there remains a great deal of uncertainty regarding the actual ability of these scammers to delete the stolen data, and their true intentions.
THE EMERGING SCAM IN RANSOMWARE ATTACKS
1. THE FALSE PROMISE OF DATA DELETION
Ransomware gangs have been known not to always delete stolen data even after receiving payment. Victims are often misled into believing that paying the ransom will result in the deletion of their stolen data. However, there have been numerous instances where this has not been the case, leading to further exploitation.
2. FAKE âSECURITY RESEARCHERâ SCAMS
A new scam involves individuals posing as security researchers, offering services to recover or delete exfiltrated data for a fee. These scammers target ransomware victims, often demanding payment in Bitcoin. This tactic adds another layer of deception and financial loss for the victims.
3. THE HACK-BACK OFFERS
Ransomware victims are now being targeted by fake hack-back offers. These offers promise to delete stolen victim data but are essentially scams designed to extort more money from the victims. This trend highlights the evolving nature of cyber threats and the need for greater awareness.
4. THE ILLOGICAL NATURE OF PAYING FOR DATA DELETION
Paying to delete stolen data is considered an illogical and ineffective strategy. Once data is stolen, there is no guarantee that the cybercriminals will honor their word. The article argues that paying the ransom often leads to more harm than good.
5. THE ROLE OF RANSOMWARE GROUPS
Some ransomware groups are involved in offering services to delete exfiltrated data for a fee. However, these offers are often scams, and there is no assurance that the data will be deleted after payment.
These scams underscores the critical importance of cybersecurity vigilance and the need for robust security measures to protect against ransomware and related cyber threats. It also highlights the challenging decision-making process for organizations that fall victim to ransomware: whether to pay the ransom, how to handle stolen data, and how to respond to subsequent extortion attempts.
South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.
South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.
The problem? Thames Water wasn’t breached.
Apparently, Clop got its UK water companies confused.
South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was “experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible.” It added there has been no disruption on service.
“This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” the water company said.
Meanwhile, Thames Water, the UK’s largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports.
“As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,â the larger water company told the UK Mirror.
While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group’s attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence.
“Iâm impressed by South Staffordshire Waterâs ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact,” Liebeg said. “And had Thames Water not done an investigation of the ‘proof of compromise,’ they may very well have decided to negotiate further. In both instances, each organization did their due diligence.”
The dilemmas organizations must deal with are dizzying:
To pay a ransom or not?
Will cyber insurance provide adequate shelter?
Whatâs the role of government?
Are new mandates and penalties on the horizon?
How are adversaries evolving their tactics?
To make sense of it all, letâs first focus on the adversaries and their playbook. Cyber criminals have a well-developed business model and carefully contemplated financial calculus of ransomware. They have determined whether they will launch a direct attack to maximize profits or offer Ransomware-as-a-Service, complete with a help desk and other support services, to supplement their income while enabling malicious actors with less technical skill.
They have researched their victims and targeted organizations based on their ability to pay. All these tactics are developed and executed in concert to make paying the ransom the path of least resistance â financially and logically.
Every aspect of a ransomware campaign is calculated to elicit an emotional response from the target such that it is easier to pay the ransom than to bear the costs and delays of trying to recover on their own.
The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang space creates fake cybersecurity companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.
FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security.
The Bastion Secure website is hosted on the Russian domain registrar Beget, which is popular in the Russian cybercrime communities. Most of the submenus of the site return a Russian-language HTTP 404 error, a circumstance that suggests the site creators were Russian speakers. At the time of the report, some of the HTTP 404 errors remain unfixed.
The website is a clone of the website of Convergent Network Solutions Ltd, Bastion Secureâs âAboutâ page states that is a spinoff of the legitimate cybersecurity firm that anyway not linked to the criminal gang.
Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely wonât â which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.
Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.
While the agencies said they havenât discovered âany specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,â they are working on the idea that itâs better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.
Indeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.
âModern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,â noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.
Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times âwill be impacted,â he said.
Thatâs mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.
âThis additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,â he said in an email to Threatpost.
Governments and law enforcement hate it when ransomware victims pay the blackmail demands that almost always follow a ransomware attack, and you can understand why, given that todayâs payments fund tomorrowâs cybercriminality.
Of course, no one needs to be told that.
Paying up hurts in any number of ways, whether you feel that hurt in your head, in your heart or even just in the pit of your stomach.
âI was happy to pay up for a job well done,â said no ransomware victim ever.
However, itâs easy for people who arenât looking down the wrong end of the cybercrime barrel to say, âYou should never, ever pay. You should let your entire business implode, and let everyone in the company lose their job, because thatâs just the price of failure.â
So, if your backâs against the wall and you DO pay up in the hope that youâll be able to restart a business that has ground to a total haltâŠ
âŠhow well will it all go?
Guess what? You can find out by tuning into a fun but informative talk that weâre giving twice this week.
You need to register, but both events are free to join. (Theyâre both 100% virtual, given that the UK is still in coronavirus lockdown, so feel free to attend from anywhere.)
Weâll give you a clue by sharing a key slide from the talk:
As you can see, paying up often doesnât work out very well anyway, even if you have no ethical qualms about doing so, and enough money burning a hole in your pocket to pay without flinching.
And remember that if you lose 1/3 of your data, like 1/2 of our respondents said they did, you donât get to choose which computers will decrypt OK and which will fail.
Murphyâs law warns you that the laptops you could have reimaged easily enough will probably decrypt just fine, while those servers you really meant to backup but didnât⊠probably wonât.
Weâre going to try to make the talk amusing (as amusing as we dare be when talking about such a treacherous subject), but with a serious yet not-too-technical side.
Weâll be giving some tips you can use both at work and at home to reduce the risk of getting ransomed in the first place.
No cybersecurity plan will ever be perfect, no defense is impenetrable. With the dangers and costs of a successful ransomware attack on an organization increasing daily, it is important for cybersecurity and business leaders to have a prevention and recovery plan before disaster strikes.
In Ransomware Protection Playbook experienced penetration tester and cybersecurity evangelist Roger Grimes lays out the steps and considerations organizations need to have in place including technical preventative measures, cybersecurity insurance, legal plans, and a response plan. From there he looks at the all important steps to stop and recover from an ongoing attack starting with detecting the attack, limiting the damage, and what’s becoming a trickier question with every new attack – whether or not to pay the ransom.
No organization with mission-critical systems or data can afford to be unprepared for ransomware. Prepare your organization with the Ransomware Protection Playbook.
It might seem logical to try to negotiate the ransom demand down to an amount that isnât going to break the bank but would still be enough to satiate cybercriminalsâ thirst for cash. Unfortunately, this isnât a good idea, because negotiations can backfire and even cause ransomware gangs to increase their ransom demands.
This recently happened to Acer when they attempted to negotiate a $50 million ransomware demand down to $10 million. As retaliation, the REvil gang threatened to double the ransom if they didnât receive the $50 million.
Another example is the Egregor ransomware gang, which often threatens to publish their victimsâ data online if they negotiate or fail to deliver on ransom payments. If youâre not looking to add your companyâs name to the list of failed negotiations, keep reading to find out some doâs and donâts of planning for ransomware incidents.
DO: Create a plan before crisis strikes
A ransomware attack affecting your business in todayâs digital economy is a matter of âwhen,â not âif.â Cybersecurity is an arms race, and as technological innovation grows, cybercriminals are also constantly innovating to develop new and more damaging attack methods. Thatâs why itâs essential to prepare for an attack as if it were as sure as the fact that the sky is blue â hopefully enabling you to avoid any negotiations altogether.
The core functionality of ransomware is two-fold: to encrypt data and deliver the ransom message. This encryption can be relatively basic or maddeningly complex, and it might affect only a single device or a whole network.
Ransomware is the fastest-growing malware in the world. In 2015, it cost companies around the world $325 million, which rose to $5 billion by 2017 and is set to hit $20 billion in 2021. The threat of ransomware is not going to disappear, and while the number of ransomware attacks remains steady, the damage they cause is significantly increasing.
Why are small and medium-sized businesses a target for ransomware-wielding gangs and what can they do to protect themselves against cyber-extortion?
According to a recent report by the Ponemon Institute, the biggest challenge faced by SMBs is a shortage of personnel to deal with cyber-risks, attacks, and vulnerabilities, while the second greatest problem revolves around limited budgets. The third biggest challenge is that the firms may lack an understanding of how to protect against cyberattacks.
According to Dattoâs report, ransomware is at the top of the list of the malware threats that SMBs face, with one in five reporting that they had fallen victim to a ransomware attack. The average ransom requested by threat actors is about US$5,900. However, that is not the final price tag; the cost of downtime is 23 times greater than the ransom requested in 2019, coming in at US$141,000 and representing an increase of over 200% from 2018 to 2019.
âFunding cybercriminals also funds larger cyberattacks, so it must be reiterated that paying wonât always get make the issue go away,â says ESET cybersecurity specialist Jake Moore.
The key, then, is prevention, and it includes these basic measures:
All employees should undergo regular training so as to be up-to-date on cybersecurity best practices. This can go a long way in lowering the chances of them clicking on potentially hazardous links in their emails that could be laced with ransomware or plugging in unknown USB devices that could be loaded with malware.
You should always keep your operating systems and other software updated to the newest version available and, whenever a patch is released, apply it.
Always plan for the worst and hope for the best, so have a business continuity plan at the ready in case disaster strikes. It should include a data backup and maybe even a backup infrastructure you can use while you try to restore your locked systems.
Backups are essential for everyone, be it individuals or huge enterprises. Back up your business-critical data regularly and test those backups frequently to see if they are functioning correctly, so that they donât leave you in a bind if youâre hit. At least the most valuable data should also be stored off-line.
Reduce the attack surface by disabling or uninstalling any unnecessary software or services. Notably, as remote access services are often the primary vector for many ransomware attacks, you would be well advised to disable internet-facing RDP entirely or at least limit the number of people allowed remote access to the firmâs servers over the internet.
Never underestimate the value of a reputable, multilayered security solution. Besides your employees, it is your first line of defense that you should have up and running to protect you against all manner of threats, not âjustâ ransomware attacks. Also, make sure the product is patched and up-to-date.