ransomware | Breaking Cybersecurity News | The Hacker News

The threat actors behind the CatB ransomware operation have been observed using a technique called  DLL search order hijacking  to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities. It's worth noting that the use of Pandora has been attributed to  Bronze Starlight  (aka DEV-0401 or Emperor Dragonfly), a China-based threat actor that's known to employ  short-lived ransomware families  as a ruse to likely conceal its true objectives.  One of the key defining characteristics of CatB is its reliance on DLL hijacking via a legitimate service called Microsoft Distributed Transaction Coordinator ( MSDTC ) to extract and launch the ransomware payload. "Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload," SentinelOne researc

U.S. government agencies have released a joint cybersecurity advisory detailing the indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with the notorious  LockBit 3.0 ransomware . "The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities  said . The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC). Since emerging in late 2019, the  LockBit actors  have invested significant  technical efforts  to develop and fine-tune its malware, issuing two major updates — LockBit 2.0, released in mid-2021, and  LockBit 3.0 , released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. "LockBit 3.0 accepts addition

When it comes to ensuring the security of your APIs, there are four critical capabilities.

Today, the LockBit ransomware is the most active and successful cybercrime organization in the world. Attributed to a Russian Threat Actor, LockBit has stepped out from the shadows of the Conti ransomware group, who were disbanded in early 2022. LockBit ransomware was first discovered in September 2019 and was previously known as ABCD ransomware because of the ".abcd virus" extension first observed. LockBit operates as a Ransomware-as-a-service (RaaS) model. In short, this means that affiliates make a deposit to use the tool, then split the ransom payment with the LockBit group. It has been reported that some affiliates are receiving a share as high of 75%. LockBit's operators have posted advertisements for their affiliate program on Russian-language criminal forums stating they will not operate in Russia or any CIS countries, nor will they work with English-speaking developers unless a Russian-speaking "guarantor" vouches for them.  Initial attack vectors of

A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software ( CVE-2022-47986 , CVSS score: 9.8), according to cybersecurity company SentinelOne. "This strategic shift is a significant move that aligns them with  other   ransomware  groups that also target Linux systems," Alex Delamotte, senior threat researcher at SentinelOne,  said  in a report shared with The Hacker News. A majority of the attacks observed by SentinelOne have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E., countries that are not typically targeted by organized ransomware crews. IceFire  was first detected in March 2022 by the  MalwareHunterTeam , but it wasn't until August 2022 tha

Law enforcement authorities from Germany and Ukraine have targeted suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware. The operation, which took place on February 28, 2023, was carried out with support from the Dutch National Police (Politie) and the U.S. Federal Bureau of Investigation (FBI), according to Europol. This encompassed a raid of a German national's house as well as searches in the Ukrainian cities of Kiev and Kharkiv. A Ukrainian national was also interrogated. Both individuals are believed to have taken up crucial positions in the DoppelPaymer group. "Forensic analysis of the seized equipment is still ongoing to determine the exact role of the suspects and their links to other accomplices," the agency further  said . In a related development, German authorities issued arrest warrants against three alleged DoppelPaymer operatives – lgor Olegovich Turashev , Igor Garshin (aka Igor Garschin

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  released  a new advisory about  Royal ransomware , which emerged in the threat landscape last year. "After gaining access to victims' networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems," CISA  said . The custom  ransomware program , which has targeted U.S. and international organizations since September 2022, is believed to have evolved from earlier iterations that were dubbed Zeon.  What's more, it's said to be  operated  by seasoned threat actors who used to be part of Conti Team One, cybersecurity company Trend Micro disclosed in December 2022. The ransomware group employs call back phishing as a means of delivering their ransomware to victims, a technique  widely adopted  by criminal groups that splintered from the Conti enterprise last year following its shutdown. Other modes of

Romanian cybersecurity company Bitdefender has  released  a free universal decryptor for a nascent file-encrypting malware known as MortalKombat . MortalKombat is a new ransomware strain that emerged in January 2023. It's based on a commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey. Xorist , detected since 2010, is distributed as a ransomware builder, allowing cyber threat actors to create and customize their own version of the malware. This includes the ransom note, the file name of the ransom note, the list of file extensions targeted, the wallpaper to be used, and the extension to be used on encrypted files. A decryptor for Xorist was made available by Emsisoft in May 2016. MortalKombat notably was deployed in recent attacks mounted by an unnamed financially motivated threat actor as a part of a phishing campaign aimed at a wide range of organizations. "MortalKombat encrypts vari

Government entities in Asia-Pacific and North America are being targeted by an unknown threat actor with an off-the-shelf malware downloader known as PureCrypter to deliver an array of information stealers and ransomware. "The PureCrypter campaign uses the domain of a compromised non-profit organization as a command-and-control (C2) to deliver a secondary payload," Menlo Security researcher Abhay Yadav  said . The different types of malware propagated using PureCrypter include  RedLine Stealer ,  Agent Tesla ,  Eternity ,  Blackmoon  (aka  KRBanker ), and  Philadelphia  ransomware. First documented in June 2022, PureCrypter is  advertised  for sale by its author for $59 for one-month access (or $245 for a one-off lifetime purchase) and is capable of distributing a multitude of malware. In December 2022, PureCoder – the developer behind the program –  expanded  the slate of offerings to include a logger and information stealer known as PureLogs, which is designed to si

Unknown malware presents a significant cybersecurity threat and can cause serious damage to organizations and individuals alike. When left undetected, malicious code can gain access to confidential information, corrupt data, and allow attackers to gain control of systems. Find out how to avoid these circumstances and detect unknown malicious behavior efficiently.  Challenges of new threats' detection While known malware families are more predictable and can be detected more easily, unknown threats can take on a variety of forms, causing a bunch of challenges for their detection: Malware developers use polymorphism, which enables them to modify the malicious code to generate unique variants of the same malware.  There is malware that is still not identified and doesn't have any rulesets for detection. Some threats can be Fully UnDetectable (FUD) for some time and challenge perimeter security.  The code is often encrypted, making it difficult to detect by signature-based

More than 500 hosts have been newly compromised en masse by the ESXiArgs ransomware strain, most of which are located in France, Germany, the Netherlands, the U.K., and Ukraine. The  findings  come from attack surface management firm Censys, which  discovered  "two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life." The first set of infections dates back to October 12, 2022, much earlier than when the campaign  began to gain traction  at the start of February 2023. Then on January 31, 2023, the ransom notes on the two hosts are said to have been updated with a revised version that matches the ones used in the current wave. Some of the crucial differences between the two ransom notes include the use of an onion URL instead of a Tox chat ID, a Proton Mail address at the bottom of the note, and a lower ransom demand (1.05 Bitcoin vs. 2.09 Bitcoin). "Each variant of the ransom notes from

A new financially motivated campaign that commenced in December 2022 has seen the unidentified threat actor behind it deploying a novel ransomware strain dubbed MortalKombat and a clipper malware known as Laplas. Cisco Talos  said  it "observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389." The attacks, per the cybersecurity company, primarily focuses on individuals, small businesses, and large organizations located in the U.S., and to a lesser extent in the U.K., Turkey, and the Philippines. The starting point that kicks off the multi-stage attack chain is a phishing email bearing a malicious ZIP file that's used as a pathway to deliver either the clipper or the ransomware. In addition to using cryptocurrency-themed email lures impersonating CoinPayments, the threat actor is also known to erase infection markers in an attempt to cover its tracks. MortalKombat, first detected in January 2023, is capable

One thing is clear. The " business value"  of data continues to grow, making it an organization's primary piece of intellectual property. From a cyber risk perspective, attacks on data are the most prominent threat to organizations.  Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as the IT infrastructure & systems that store the data. What Impact Does This Have On The Security Of Storage & Backup Systems? Just a few years ago, almost no CISO thought that storage & backups were important. That's no longer the case today.  Ransomware has pushed backup and recovery back onto the IT and corporate agenda. Cybercriminals, such as Conti, Hive and REvil, are  targeting storage and backup  systems, to prevent recovery. Some ransomwares – Locky and Crypto, for example – now bypass production systems altogether, and directly target backups. This

After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from  ESXiArgs ransomware attacks , the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging. Another notable change is the removal of the Bitcoin address from the ransom note, with the attackers now urging victims to contact them on Tox to obtain the wallet information. The threat actors "realized that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent," Censys  said  in a write-up. "In other words: they are watching." Statistics shared

State-backed hackers from North Korea are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities, U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory. The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are designed to support North Korea's national-level priorities and objectives. This includes "cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks," the authorities  said . Threat actors with North Korea have been  linked  to  espionage ,  financial theft , and cryptojacking operations for years, including the infamous  WannaCry ransomware attacks  of 2017 that infected hundreds of thousands of machines located in over 150 countries. Since then, North Korean nation-state crews have dabbled