The Hacker News - Cybersecurity News and Analysis: ransomware

The financially motivated  FIN8 actor , in all likelihood, has resurfaced with a never-before-seen ransomware strain called " White Rabbit " that was recently deployed against a local bank in the U.S. in December 2021. That's according to new findings published by Trend Micro, calling out the malware's overlaps with Egregor, which was taken down by Ukrainian law enforcement authorities in February 2021. "One of the most notable aspects of White Rabbit's attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine," the researchers  noted . "This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis." Egregor, which commenced operations in September 2020 until its operations took a huge hit, is widely believed to be a  reincarnation of Maze , which shut down its criminal enterp

Cybersecurity teams from Microsoft on Saturday disclosed they identified evidence of a new destructive malware operation dubbed " WhisperGate " targeting government, non-profit, and information technology entities in Ukraine amid brewing geopolitical tensions between the country and Russia. "The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable," Tom Burt, corporate vice president of customer security and trust at Microsoft, said , adding the intrusions were aimed at government agencies that provide critical executive branch or emergency response functions. Also among those affected by the malware is an IT firm that "manages websites for public and private sector clients, including government agencies whose websites were recently defaced ," Burt noted. The computing giant, which first detected the malware on January 13, attributed the attacks to an emerging threat cluster codenam

In an unprecedented move, Russia's Federal Security Service (FSB), the country's principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations. The surprise takedown, which it said was carried out at the request of the U.S. authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organized cybercrime syndicate. "In order to implement the criminal plan, these persons developed malicious software, organized the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet," the FSB  said  in a statement. In addition, the FSB seized over 426 million rubles, including in cryptocurrency, $600,000, €500,000, as well as computer equipment, crypto wallets u

Ukrainian police authorities have nabbed five members of a gang that's believed to have helped orchestrate attacks against more than 50 companies across Europe and the U.S and caused losses to the tune of more than $1 million. The  special operation , which was carried out in assistance with law enforcement officials from the U.K. and U.S., saw the arrest of an unnamed 36-year-old individual from the capital city of Kyiv, along with his wife and three other accomplices. A total of nine searches across the suspects' homes were carried out, resulting in the seizure of computer equipment, mobile phones, bank cards, flash drives, three cars, and other items with evidence of illegal activity. The Cyber Police of the National Police of Ukraine said the group offered a "hacker service" that enabled financially motivated crime syndicates to send phishing emails containing file-encrypted malware to lock confidential data pertaining to its victims, demanding that the target

In May 2017, the first documented ransomware assault on networked medical equipment happened. The worldwide ransomware assault WannaCry compromised radiological and other instruments in several hospitals during its height, after a software failure caused by a cyberattack on its third-party vendor's oncology cloud service, cancer patients having radiation therapy at four healthcare institutions had to reschedule appointments. These examples show how cyberattacks and data breaches may have a significant impact on the healthcare industry, heavily reliant on connected medical equipment. PHI (patient health information) captured and stored in these connected medical devices must be secured. Because PHI is transferred over the cloud via server-based systems, making it very susceptible to hackers. Ransomware attacks on health care professionals have become more common, sophisticated, and severe in recent years. Individual bad actors have been supplanted as the main perpetrators by orga

A never-before-seen China-based targeted intrusion adversary dubbed Aquatic Panda has been observed leveraging  critical flaws  in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems. Cybersecurity firm CrowdStrike said the infiltration, which was ultimately foiled, was aimed at an unnamed "large academic institution." The state-sponsored group is believed to have been operating since mid-2020 in pursuit of intelligence collection and industrial espionage, with its attacks primarily directed against companies in the telecommunications, technology, and government sectors. The attempted intrusion exploited the newly discovered  Log4Shell  flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the  VMware Horizon  desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch thr

Ransomware groups continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, notwithstanding law enforcement's disruptive actions against the cybercrime gangs to prevent them from victimizing additional companies. "Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS [ransomware-as-a-service] groups dominating the ecosystem at this point in time are completely different than just a few months ago," Intel 471 researchers  said  in a report published this month. "Yet, even with the shift in the variants, ransomware incidents as a whole are still on the rise." Sweeping law enforcement operations  undertaken by government agencies  in recent months have brought about rapid shifts in the RaaS landscape and turned the tables on ransomware syndicates like Avaddon,  BlackMatter ,  Cl0p ,  DarkSide , Egregor, and  REvil , forcing the actors to slow down or shut down th

Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called  Khonsari  as well as a remote access Trojan named  Orcus  by exploiting the recently disclosed critical Log4j vulnerability . The attack leverages the remote code execution (RCE) flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension ".khonsari" and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files. Tracked as CVE-2021-44228 , the RCE vulnerability is also known by the monikers "Log4Shell" or "Logjam" and impacts versions 2.0-beta9 to 2.14.1 of the software library. In simple terms, the bug could force an affected system to download malicious software, giving the attackers a digital beachhead on servers located within corporate networks. Log4j is an op

Europol, the European Union's premier law enforcement agency, has  announced  the arrest of a third Romanian national for his role as a ransomware affiliate suspected of hacking high-profile organizations and companies and stealing large volumes of sensitive data. The 41-year-old unnamed individual was apprehended Monday morning at his home in Craiova, Romania, by the Romanian Directorate for Investigating Organized Crime and Terrorism ( DIICOT ) following a joint investigation in collaboration with the U.S. Federal Bureau of Investigation (FBI). It's not currently known which ransomware gang the suspect was working with, but the development comes a little over a month after Romanian authorities  arrested two affiliates  of the REvil ransomware family, who are believed to have orchestrated no fewer than 5,000 ransomware attacks and extorted close to $600,000 from victims. Affiliates play a key role in the subscription-based ransomware-as-a-service (RaaS) business models, a

Details have emerged about what's the first Rust-language-based ransomware strain spotted in the wild that has already amassed "some victims from different countries" since its launch last month. The ransomware, dubbed  BlackCat , was  disclosed  by MalwareHunterTeam. "Victims can pay with Bitcoin or Monero," the researchers said in a series of tweets detailing the file-encrypting malware. "Also looks they are giving credentials to intermediaries" for negotiations. BlackCat, akin to many other variants that have sprung before it, operates as a ransomware-as-a-service (RaaS), wherein the core developers recruit affiliates to breach corporate environments and encrypt files, but not before stealing the said documents in a double extortion scheme to pressure the targets into paying the requested amount or risk exposure of the stolen data should the companies refuse to pay up. Security researcher Michael Gillespie  called  it a "very sophisticated

Nation-state operators with nexus to Iran are increasingly turning to ransomware as a means of generating revenue and intentionally sabotaging their targets, while also engaging in patient and persistent social engineering campaigns and aggressive brute force attacks. No less than six threat actors affiliated with the West Asian country have been discovered deploying ransomware to achieve their strategic objectives, researchers from Microsoft Threat Intelligence Center (MSTIC)  revealed , adding "these ransomware deployments were launched in waves every six to eight weeks on average." Of note is a threat actor tracked as  Phosphorus  (aka Charming Kitten or APT35), which has been found scanning IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain initial access and persistence on vulnerable networks, before moving to deploy additional payloads that enable the actors to pivot to other machines and deploy ransomware.

The U.S. government on Monday charged a Ukrainian suspect, arrested in Poland last month, with deploying REvil ransomware to target multiple businesses and government entities in the country, including perpetrating the attack against software company Kaseya, marking the latest action to crack down on the cybercrime group and curb further attacks. According to unsealed court documents, 22-year-old Yaroslav Vasinskyi is  alleged  to have been part of the ransomware operation at least since March 2019 and deployed about 2,500 attacks against businesses worldwide. Vasinskyi (aka Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) was apprehended at the Polish border on October 8 after an international arrest warrant was issued at the behest of U.S. authorities. In another major development, the Justice Department disclosed the seizure of $6.1 million in alleged ransomware payments received by Russian national Yevgeniy Polyanin, who is currently at large and has

Romanian law enforcement authorities have  announced  the arrest of two individuals for their roles as affiliates of the REvil ransomware family, dealing a severe blow to one of the most prolific cybercrime gangs in history. The suspects are believed to have  orchestrated  more than 5,000 ransomware attacks and extorted close to $600,000 from victims, according to Europol. The arrests, which happened on November 4, are part of a coordinated operation called GoldDust , which has resulted in the arrest of three other REvil affiliates and two suspects connected to GandCrab in Kuwait and South Korea since February 2021. This also includes a 22-year-old Ukrainian national, Yaroslav Vasinskyi, who was arrested in early October and has been accused of perpetrating the  devastating attack  on Florida-based software firm Kaseya in July 2021, affecting up to 1,500 downstream businesses. In all, the seven suspects linked to the two ransomware families are said to have targeted about 7,000 vic

A previously undocumented initial access broker has been unmasked as providing entry points to three different threat actors for mounting intrusions that range from financially motivated ransomware attacks to phishing campaigns. BlackBerry's research and intelligence team dubbed the entity " Zebra2104 ," with the group responsible for offering a means of a digital approach to ransomware syndicates such as MountLocker and Phobos, as well as the advanced persistent threat (APT) tracked under the moniker  StrongPity  (aka Promethium). The threat landscape as we know it has been increasingly dominated by a category of players known as the initial access brokers ( IABs ), who are known to provide other cyber-criminal groups, including ransomware affiliates, with a  foothold to an infinite pool of potential organizations  belonging to diverse geographies and sectors via persistent backdoors into the victim networks, effectively building a pricing model for remote access. &

The U.S. government on Thursday announced a $10 million reward for information that may lead to the identification or location of key individuals who hold leadership positions in the DarkSide ransomware group or any of its rebrands. On top of that, the State Department is offering bounties of up to $5 million for intel and tip-offs that could result in the arrest and/or conviction in any country of individuals who are conspiring or attempting to participate in intrusions affiliated with the transnational organized crime syndicate. "In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals," the State Department  said  in a statement. "The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware." The development comes in response to DarkSide's high-pr

An analysis of new samples of BlackMatter ransomware for Windows and Linux has revealed the extent to which the operators have continually added new features and encryption capabilities in successive iterations over a three-month period. No fewer than 10 Windows and two Linux versions of the ransomware have been observed in the wild to date, Group-IB threat researcher Andrei Zhdanov said in a report shared with The Hacker News, pointing out the changes in the implementation of the  ChaCha20 encryption  algorithm used to encrypt the contents of the files. BlackMatter  emerged  in July 2021 boasting of  incorporating  the "best features of DarkSide, REvil, and LockBit" and is considered the successor to DarkSide, which has since shut down alongside REvil in the wake of law enforcement scrutiny. Operating as a ransomware-as-a-service (RaaS) model, the BlackMatter is believed to have hit more than 50 companies in the U.S., Austria, Italy, France, Brazil, among others. What&