dark web | Breaking Cybersecurity News | The Hacker News

A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the  REvil ransomware group  orchestrated more than 2,500 ransomware attacks and demanded ransom payments in cryptocurrency totaling more than $700 million. "The co-conspirators demanded ransom payments in cryptocurrency and used cryptocurrency exchangers and mixing services to hide their ill-gotten gains," the U.S. Department of Justice (DoJ)  said . "To drive their ransom demands higher, Sodinokibi/REvil co-conspirators also publicly exposed their victims' data when victims would not pay ransom demands." Vasinskyi was  extradited  to the U.S. in March 2022 following his arrest in Poland in October 2021. REvil, prior to formally going offline in late 2021, was responsible for a series of high

The U.S. Department of Justice (DoJ) on Wednesday  announced  the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds. To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business from 2015 through February 2024. Rodriguez and Hill face a maximum sentence of 25 years in prison each. Rodriguez, the CEO of the company, and CTO Hill intentionally designed Samourai to help "criminals to engage in large-scale money laundering and sanctions evasion," while ostensibly marketing as a privacy-oriented service, the DoJ said. Samourai laundered money from illegal dark web marketplaces, including Silk Road and Hydra, as well as spear-phishing schemes and scams aimed at defrauding multip

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Between crossovers - Do threat actors play dirty or desperate? In our dataset of over 11,000 victim organizations that have experienced a Cyber Extortion / Ransomware attack, we noticed that some victims re-occur. Consequently, the question arises why we observe a re-victimization and whether or not this is an actual second attack, an affiliate crossover (meaning an affiliate has gone to another Cyber Extortion operation with the same victim) or stolen data that has been travelling and re-(mis-)used. Either way, for the victims neither is good news.  But first thing's first, let's explore the current threat landscape, dive into one of our most recent research focuses on the dynamics of this ecosystem; and then explore our dataset on Law Enforcement activities in this space. Might the re-occurrence that we observe be foul play by threat actors and thus show how desperately they are trying to regain the trust of their co-offenders after disruption efforts by Law Enforcement? Or are th

The  ransomware industry surged in 2023  as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 5,070.  But 2024 is starting off showing a very different picture.  While the numbers skyrocketed in Q4 2023 with 1309 cases, in Q1 2024, the ransomware industry was down to 1,048 cases. This is a 22% decrease in ransomware attacks compared to Q4 2023. Figure 1: Victims per quarter There could be several reasons for this significant drop.  Reason 1: The Law Enforcement Intervention Firstly, law enforcement has upped the ante in 2024 with actions against both LockBit and ALPHV. The LockBit Arrests In February, an international operation named "Operation Cronos" culminated in the arrest of at least three associates of the infamous LockBit ransomware syndicate in Poland and Ukraine.  Law enforcement from multiple countries collaborated to take down LockBit's infrastructure. This included seizing their dark web domains and gaining access to their backend sys

The Cyber Police of Ukraine has  arrested  three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world. The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison. The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members. The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums. Other threat actors who purchased the information used the compromised accounts to conduct a variety of  fraudulent schemes , including those in which scammers reach out to the victim's friends to urgently transfer money to their bank account. "You can protect

The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise  seized control  of its servers. To that end, the notorious group has moved its data leak portal to a new .onion address on the TOR network, listing 12 new victims as of writing. The administrator behind LockBit, in a  lengthy follow-up message , said some of their websites were confiscated by most likely exploiting a critical PHP flaw tracked as CVE-2023-3824, acknowledging that they didn't update PHP due to "personal negligence and irresponsibility." "I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed," they noted. They also cla

LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, "has engaged with law enforcement," authorities said. The development comes following the  takedown  of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue accounts on third-party services like Mega, Protonmail, and Tutanota used by the criminals have been shuttered. "We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement," according to a  message  posted on the now-seized (and offline) dark web data leak site. The move has been  interpreted  by long-term watchers of LockBit as an attempt to create suspicion and sow the seeds of distrust among affiliates, ultimately undermining trust in the group within the cybercrime ecosystem. According to research published by Analyst1 in A

Update: The U.K. National Crime Agency (NCA) has confirmed the takedown of LockBit infrastructure. Read here for more details . An international law enforcement operation has led to the seizure of multiple darknet domains operated by  LockBit , one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns. While the full extent of the effort, codenamed  Operation Cronos , is presently unknown, visiting the group's .onion website displays a seizure banner containing the message "The site is now under the control of law enforcement." Authorities from 11 countries, Australia, Canada, Finland, France, Germany, Japan, the Netherlands, Sweden, Switzerland, the U.K., and the U.S., alongside Europol participated in the joint exercise. Malware research group VX-Underground, in a  message  posted on X (formerly Twitter), said the websites were taken down by exploiting a critical security flaw impacting PHP ( CVE-2023-3824 , CVSS score: 9.8

A malicious Python script known as  SNS Sender  is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service ( SNS ). The SMS phishing messages are designed to propagate malicious links that are designed to capture victims' personally identifiable information (PII) and payment card details, SentinelOne  said  in a new report, attributing it to a threat actor named ARDUINO_DAS. "The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery," security researcher Alex Delamotte said. SNS Sender is also the first tool observed in the wild that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said that it identified links between ARDUINO_DAS and more than 150 phishing kits offered for sale. The malware requires a list of phishing links stored in a file named links.txt in its working directory, in addition t

The U.S. Department of State has  announced  monetary rewards of up to $10 million for information about individuals holding key positions within the Hive ransomware operation. It is also giving away an additional $5 million for specifics that could lead to the arrest and/or conviction of any person "conspiring to participate in or attempting to participate in Hive ransomware activity." The multi-million-dollar rewards come a little over a year after a coordinated law enforcement effort  covertly infiltrated and dismantled  the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) gang. One person with suspected ties to the group was  arrested  in Paris in December 2023. Hive, which emerged in mid-2021, targeted more than 1,500 victims in over 80 countries, netting about $100 million in illegal revenues. In November 2023, Bitdefender  revealed  that a new ransomware group called Hunters International had acquired the source code and infrastructure

The operators of  Raspberry Robin  are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before. This means that "Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time," Check Point  said  in a report this week. Raspberry Robin (aka QNAP worm), first documented in 2021, is an  evasive malware family  that's known to act as one of the  top initial access facilitators  for other malicious payloads, including ransomware. Attributed to a threat actor named Storm-0856 (previously DEV-0856), it's propagated via several entry vectors, including infected USB drives, with Microsoft  describing  it as part of a "complex and interconnected malware ecosystem" with ties to other e-crime groups like  Evil Corp, Silence, and TA505 . Raspberry Robin's use of one-day exploits such as CVE-2020-