The Hacker News - Cybersecurity News and Analysis: ransomware

As hospitals around the world are struggling to respond to the coronavirus crisis, cybercriminals—with no conscience and empathy—are continuously targeting healthcare organizations, research facilities, and other governmental organizations with ransomware and malicious information stealers. The new research, published by Palo Alto Networks and shared with The Hacker News, confirmed that "the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are in the front lines and responding to the pandemic on a daily basis." While the security firm didn't name the latest victims, it said a Canadian government healthcare organization and a Canadian medical research university both suffered ransomware attacks, as criminal groups seek to exploit the crisis for financial gain. The attacks were detected between March 24 and March 26 and were initiated as part of the coronavirus-themed phishing campaigns that have become widespr

In our previous stories, you might have already read about various campaigns warning how threat actors are capitalizing on the ongoing coronavirus pandemic in an attempt to infect your computers and mobile devices with malware or scam you out of your money. Unfortunately, to some extent, it's working, and that's because the attack surface is changing and expanding rapidly as many organizations and business tasks are going digital without much preparation, exposing themselves to more potential threats. Most of the recent cyberattacks are primarily exploiting the fears around the COVID-19 outbreak—fueled by disinformation and fake news—to distribute malware via Google Play apps , malicious links and attachments, and execute ransomware attacks. Here, we took a look at some of the wide range of unseen threats rising in the digital space, powered by coronavirus-themed lures that cybercriminals are using for espionage and commercial gain. The latest development adds to a l

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) earlier today issued a warning to all industries operating critical infrastructures about a new ransomware threat that if left unaddressed could have severe consequences. The advisory comes in response to a cyberattack targeting an unnamed natural gas compression facility that employed spear-phishing to deliver ransomware to the company's internal network, encrypting critical data and knocking servers out of operation for almost two days. "A cyber threat actor used a spear-phishing link to obtain initial access to the organization's information technology network before pivoting to its operational technology network. The threat actor then deployed commodity ransomware to encrypt data for impact on both networks," CISA noted in its alert. As ransomware attacks continue to escalate in frequency and scale , the new development is yet another indication that p

A new variant of Vega ransomware family, dubbed Zeppelin , has recently been spotted in the wild targeting technology and healthcare companies across Europe, the United States, and Canada. However, if you reside in Russia or some other ex-USSR countries like Ukraine, Belorussia, and Kazakhstan, breathe a sigh of relief, as the ransomware terminates its operations if found itself on machines located in these regions. It's notable and interesting because all previous variants of the Vega family, also known as VegaLocker, were primarily targeting Russian speaking users, which indicates Zeppelin is not the work of the same hacking group behind the previous attacks. Since Vega ransomware and its previous variants were offered as a service on underground forums, researchers at BlackBerry Cylance believes either Zeppelin "ended up in the hands of different threat actors" or "redeveloped from bought/stolen/leaked sources." According to a report BlackBerry Cyl

Targeted ransomware attacks on banking and finance, government , healthcare , and critical infrastructure are on the rise, with the latest victim being the state government of Louisiana. The state government of Louisiana was hit by a large-scale coordinated ransomware attack yesterday, which forced the state to take several state agency servers offline, including government websites, email systems, and other internal applications, to mitigate the risk of the malware's infection from spreading. The Monday's ransomware attack resulted in the subsequent shutdown of a majority of large state agencies, including the Office of the Governor, the Office of Motor Vehicles, the Department of Health, the Department of Children and Family Services, and the Department of Transportation and Development, among others. Louisiana Gov. John Bel Edwards revealed the incident in a series of tweets, saying that he had activated the state's cybersecurity team in response to the cyber

Security researchers have tracked down activities of a new group of financially-motivated hackers that are targeting several businesses and organizations in Germany, Italy, and the United States in an attempt to infect them with backdoor, banking Trojan, or ransomware malware. Though the new malware campaigns are not customized for each organization, the threat actors appear to be more interested in businesses, IT services, manufacturing, and healthcare industries who possess critical data and can likely afford high ransom payouts. According to a report ProofPoint shared with The Hacker News, the newly discovered threat actors are sending out low-volume emails impersonating finance-related government entities with tax assessment and refund lured emails to targeted organizations. "Tax-themed Email Campaigns Target 2019 Filers, finance-related lures have been used seasonally with upticks in tax-related malware and phishing campaigns leading up to the annual tax filing deadlines in

Everis , one of the largest IT consulting companies in Spain, suffered a targeted ransomware attack on Monday, forcing the company to shut down all its computer systems until the issue gets resolved completely. Ransomware is a computer virus that encrypts files on an infected system until a ransom is paid. According to several local media, Everis informed its employees about the devastating widespread ransomware attack, saying: "We are suffering a massive virus attack on the Everis network. Please keep the PCs off. The network has been disconnected with clients and between offices. We will keep you updated." "Please, urgently transfer the message directly to your teams and colleagues due to standard communication problems." According to cybersecurity consultant  Arnau Estebanell Castellví , the malware encrypted files on Everis's computers with an extension name resembling the company's name, i.e., " .3v3r1s ," which suggests the at

THIS WEEK IN THE IRONIC NEWS: DDS Safe, an online cloud-based data backup system that hundreds of dental practice offices across the United States are using to safeguard medical records and other information of their patients from ransomware attacks has been hit with ransomware. Provided by two Wisconsin-based companies, Digital Dental Record and PerCSoft, the backend system of affected medical records retention and backup solutions has probably been hit by Sodinokibi ransomware , also known as Sodin or REvil malware. Though it's not yet clear how attackers managed to compromise the company's infrastructure, the latest ransomware attack is yet another example of successful supply chain attack, crippling computer systems in 400 dental practice offices around the United States this week. According to statements released by both companies, the ransomware virus hit a remote data management software on Monday, August 26, that DDS Safe uses to back up its client data and

The threat of ransomware is becoming more prevalent and severe as attackers' focus has now moved beyond computers to smartphones and other Internet-connected smart devices. In its latest research, security researchers at cybersecurity firm CheckPoint demonstrated how easy it is for hackers to remotely infect a digital DSLR camera with ransomware and hold private photos and videos hostage until victims pay a ransom. Yes, you heard me right. Security researcher Eyal Itkin discovered several security vulnerabilities in the firmware of Canon cameras that can be exploited over both USB and WiFi, allowing attackers to compromise and take over the camera and its features. According to a security advisory  released  by Canon, the reported security flaws affect Canon EOS-series digital SLR and mirrorless cameras, PowerShot SX740 HS, PowerShot SX70 HS, and PowerShot G5X Mark II. "Imagine how would you respond if attackers inject ransomware into both your computer and the c

Yesterday, some residents of Johannesburg, the largest city in South Africa, were left without electricity after the city's power company got attacked by a ransomware virus. City Power, the company responsible for powering South Africa's financial capital Johannesburg, confirmed Thursday on Twitter that it had been hit by a Ransomware virus that had encrypted all of its databases, applications, and network. The attack prevented prepaid customers from buying electricity units, upload invoices when making payments, or access the City Power's official website, eventually leaving them without power. "Please note that the virus hit us early Thursday morning, compromising our database and other software, impacting most of our applications and networks," the city government said in a tweet . However, the company has also ensured its customers that none of their details were compromised in the cyber attack. At the time of writing, the company confirmed they h

A new ransomware family has been found targeting Linux-based Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users' important data hostage until a ransom is paid, researchers told The Hacker News. Ideal for home and small business, NAS devices are dedicated file storage units connected to a network or through the Internet, which allow users to store and share their data and backups with multiple computers. Independently discovered by researchers at two separate security firms, Intezer and Anomali, the new ransomware family targets poorly protected or vulnerable QNAP NAS servers either by brute forcing weak SSH credentials or exploiting known vulnerabilities. Dubbed " QNAPCrypt " by Intezer and " eCh0raix " by Anomali, the new ransomware is written in the Go programming language and encrypts files with targeted extensions using AES encryption and appends .encrypt extension to each. However, if a compromised NAS devic

In the last two weeks, Florida has paid more than $1.1 million in bitcoin to cybercriminals to recover encrypted files from two separate ransomware attacks—one against Riviera Beach and the other against Lake City . Lake City, a city in northern Florida, agreed on Monday to pay hackers 42 Bitcoin (equivalent to $573,300 at the current value) to unlock phone and email systems following a ransomware attack that crippled its computer systems for two weeks. The ransomware attack, dubbed "Triple Threat" since it combines three different methods of attack to target network systems, infected Lake City systems on June 10 after an employee in city hall opened a malicious email. Though the IT staff disconnected computers within just 10 minutes of the cyber attack starting, it was too late. The attack locked down the city workers' email accounts and servers. Since the police and fire departments operate on a different server, they were the only ones not impacted by the a

For the second time in just over a year, the city of Baltimore has been hit by a ransomware attack, affecting its computer network and forcing officials to shut down a majority of its computer servers as a precaution. Ransomware works by encryption files and locking them up so users can't access them. The attackers then demand a ransom amount, typically in Bitcoin digital currency, in exchange for the decryption keys use to unlock the files. The ransomware attack on the Baltimore City Hall took place on Tuesday morning and infected the city's technology systems with an unknown ransomware virus, which according to government officials, is apparently spreading throughout their network. According to new Baltimore Mayor Bernard C. Jack Young, Baltimore City's critical public safety systems, such as 911, 311, emergency medical services and the fire department, are operational and not affected by the ransomware attack. Young also says the city technology officials are

Taking advantage of newly disclosed and even patched vulnerabilities has become common among cybercriminals, which makes it one of the primary attack vectors for everyday-threats, like crypto-mining, phishing, and ransomware. As suspected, a recently-disclosed critical vulnerability in the widely used Oracle WebLogic Server has now been spotted actively being exploited to distribute a never-before-seen ransomware variant, which researchers dubbed " Sodinokibi ." Last weekend, The Hacker News learned about a critical deserialization remote code execution vulnerability in Oracle WebLogic Server that could allow attackers to remotely run arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization. To address this vulnerability (CVE-2019-2725), which affected all versions of the Oracle WebLogic software and was given a severity score of 9.8 out of 10, Oracle rolled out an out-of-band security update on

Photo by Terje Pedersen / NTB scanpix One of the world's largest producers of aluminum has been forced to shut down several of its plants across Europe and the U.S. after an "extensive cyber attack" hit its operations, leaving companies' IT systems unusable. According to a press release shared by Aluminum giant Norsk Hydro today, the company has temporarily shut down several plants and switched to manual operations, "where possible," in countries including Norway, Qatar, and Brazil in an attempt to continue some of its operations. The cyber attack, that began in the U.S.,was first detected by the company's IT experts around late Monday evening CET and the company is working to neutralize the attack, as well as investigating to know the full extent of the incident. "Hydro's main priority is to continue to ensure safe operations and limit operational and financial impact. The problem has not led to any safety-related incidents," t

It's not at all surprising that downloading movies and software from the torrent network could infect your computer with malware, but it's more heartbreaking when a popular, trusted file uploader goes rogue. Popular software cracks/keygens uploader "CracksNow," who had trusted status from many torrent sites, has now been banned from several torrent sites after he was repeatedly found distributing the malware bundled with his uploads. In recent months, according to TorrentFreak , many downloaders complained that the files they downloaded, shared by CracksNow on torrents, found containing GandCrab ransomware and other malware that can do severe damage to computers. Discovered earlier last year, GandCrab is a widespread ransomware threat, like every other ransomware in the market, that encrypts all files on an infected system and blackmails victims to pay a ransom in digital currency to unlock them. GandCrab ransomware was being distributed late last month via a

Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware. Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors. Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom

If your computer has been infected with PyLocky Ransomware and you are searching for a free ransomware decryption tool to unlock or decrypt your files—your search might end here. Security researcher Mike Bautista at Cisco's Talos cyber intelligence unit have released a free decryption tool that makes it possible for victims infected with the PyLocky ransomware to unlock their encrypted files for free without paying any ransom. The decryption tool works for everyone, but it has a huge limitation—to successfully recover your files, you must have captured the initial network traffic (PCAP file) between the PyLocky ransomware and its command-and-control (C2) server, which generally nobody purposely does. This is because the outbound connection—when the ransomware communicates with its C2 server and submit decryption key related information—contains a string that includes both Initialization Vector (IV) and a password, which the ransomware generates randomly to encrypt the file