#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

ransomware | Breaking Cybersecurity News | The Hacker News

Category — ransomware
Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Nov 13, 2024 Ransomware / Data Protection
Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware. The decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings, allowing the researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks." ShrinkLocker was first documented in May 2024 by Kaspersky, which found the malware's use of Microsoft's native BitLocker utility for encrypting files as part of extortion attacks targeting Mexico, Indonesia, and Jordan. Bitdefender, which investigated a ShrinkLocker incident targeting an unnamed healthcare company in the Middle East, said the attack likely originated from a machine belonging to a contractor, once again highlighting how threat actors are increasingly abusing trusted relationships to infiltrate the supply chain. In the next stage, the threat ac
New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

Nov 12, 2024 Cyber Attack / Cybercrime
Cybersecurity researchers have flagged a new ransomware family called Ymir that was deployed in an attack two days after systems were compromised by a stealer malware called RustyStealer. "Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness," Russian cybersecurity vendor Kaspersky said . "Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities." Kaspersky said it observed the ransomware used in a cyber attack targeting an unnamed organization in Colombia, with the threat actors previously delivering the RustyStealer malware to gather corporate credentials. It's believed that the stolen credentials were used to gain unauthorized access to the company's n
cyber security

Earn a Master's in Cybersecurity Risk Management

websiteGeorgetown UniversityCyber Security
Lead the future of cybersecurity risk management with an online Master's from Georgetown.
CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability

CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability

Nov 08, 2024 Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that could lead to an admin account takeover. "Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data," CISA said in an alert. The shortcoming impacts all versions of Expedition prior to version 1.2.92, which was released in July 2024 to plug the problem. There are currently no reports on how the vulnerability is being weaponized in real-world attacks, but Palo Alto Networks has since revised its original adviso
cyber security

Permiso Security's 2024 State of Identity Security Report

websitePermisoThreat Detection / Identity Security
More than 90% of respondents expressed concern over their team and tooling's ability to detect identity-based attacks. Learn about critical gaps in security programs and what environments pose the most risk to security teams. Download the Report.
VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

Nov 06, 2024 SaaS Security / Threat Detection
An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. "Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware," Israeli cybersecurity company Hunters said in a new report. "This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems." Hunters said it discovered the campaign in September 2024 after it responded to a cyber incident targeting a critical infrastructure organization in the United States. It did not disclose the name of the company, instead giving it the designation "Org C." The activity is believed to have commenced a month prior, with the attack culminating i
INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime

INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime

Nov 06, 2024 Cyber Threat / Cybercrime
INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation. Dubbed Operation Synergia II, the coordinated effort ran from April 1 to August 31, 2024, targeting phishing, ransomware, and information stealer infrastructure. "Of the approximately 30,000 suspicious IP addresses identified, 76 per cent were taken down and 59 servers were seized," INTERPOL said . "Additionally, 43 electronic devices, including laptops, mobile phones and hard disks were seized." The actions also led to the arrest of 41 individuals, with 65 others still under investigation. Some of the other key outcomes across countries are listed below - Takedown of more than 1,037 servers by Hong Kong police Seizure of a server and the identification of 93 individuals with links to illegal cyber activities in Mongolia Disruption of 291 servers in Macau Identification of 11 individuals with links to malicious servers and
Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices

Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices

Nov 05, 2024 Vulnerability / Data Security
Taiwanese network-attached storage (NAS) appliance maker Synology has addressed a critical security flaw impacting DiskStation and BeePhotos that could lead to remote code execution. Tracked as CVE-2024-10443 and dubbed RISK:STATION by Midnight Blue, the zero-day flaw was demonstrated at the Pwn2Own Ireland 2024 hacking contest by security researcher Rick de Jager. RISK:STATION is an "unauthenticated zero-click vulnerability allowing attackers to obtain root-level code execution on the popular Synology DiskStation and BeeStation NAS devices, affecting millions of devices," the Dutch company said . The zero-click nature of the vulnerability means it does not require any user interaction to trigger the exploitation, thereby allowing attackers to gain access to the devices to steal sensitive data and plant additional malware. The flaw impacts the following versions - BeePhotos for BeeStation OS 1.0 (Upgrade to 1.0.2-10026 or above) BeePhotos for BeeStation OS 1.1 (Upgr
North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

Oct 30, 2024 Ransomware / Threat Intelligence
Threat actors linked to North Korea have been implicated in a recent incident that deployed a known ransomware family called Play, underscoring their financial motivations. The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces , which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. "We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group," Palo Alto Networks Unit 42 said in a new report published today. "This incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network." Andariel, active since at least 2009, is affiliated with North Korea's Reconnaissance General Bureau (RGB). It has been previously observed deploying
Four REvil Ransomware Members Sentenced in Rare Russian Cybercrime Convictions

Four REvil Ransomware Members Sentenced in Rare Russian Cybercrime Convictions

Oct 26, 2024 Cybercrime / Malware
Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges. Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of illegal circulation of means of payment. Puzyrevsky and Khansvyarov have also been found guilty of using and distributing malware. To that end, Zaets and Malozemov were sentenced to 4.5 and 5 years in prison. Khansvyarov and Puzyrevsky received a jail term of 5.5 and 6 years, respectively. The four individuals are part of a group of 14 people who were initially detained in connection with the case. As reported by TASS back in January 2022, eight of them were charged by the court for their malicious activities. The remaining four members, Andrei Bessonov, Mikhail Golovach
New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics

New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics

Oct 24, 2024 Ransomware / Cybercrime
Cybersecurity researchers have discovered an advanced version of the Qilin ransomware sporting increased sophistication and tactics to evade detection. The new variant is being tracked by cybersecurity firm Halcyon under the moniker Qilin.B. "Notably, Qilin.B now supports AES-256-CTR encryption for systems with AESNI capabilities, while still retaining Chacha20 for systems that lack this support," the Halcyon Research Team said in a report shared with The Hacker News. "Additionally, RSA-4096 with OAEP padding is used to safeguard encryption keys, making file decryption without the attacker's private key or captured seed values impossible." Qilin, also known as Agenda , first came to the attention of the cybersecurity community in July/August 2022, with initial versions written in Golang before switching to Rust. A May 2023 report from Group-IB revealed that the ransomware-as-a-service (RaaS) scheme allows its affiliates to anywhere between 80% to 85% of
Why Phishing-Resistant MFA Is No Longer Optional: The Hidden Risks of Legacy MFA

Why Phishing-Resistant MFA Is No Longer Optional: The Hidden Risks of Legacy MFA

Oct 24, 2024 Ransomware / Generative AI
Sometimes, it turns out that the answers we struggled so hard to find were sitting right in front of us for so long that we somehow overlooked them. When the Department of Homeland Security, through the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI, issues a cybersecurity warning and prescribes specific action, it's a pretty good idea to at least read the joint advisory. In their advisory AA24-242A, DHS/CISA and the FBI told the entire cybercriminal-stopping world that to stop ransomware attacks, organizations needed to implement phishing-resistant MFA and ditch SMS-based OTP MFA.  The Best Advice I Never Followed  This year, we have experienced an astonishing surge in ransomware payments, with the average payment increasing by a staggering 500%. Per the "State of Ransomware 2024" report from cybersecurity leader Sophos, the average ransom has jumped by 5X reaching $2 million from $400,000 last year. Even more troubling, RISK &
Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

Oct 24, 2024 Vulnerability / Cyber Attack
The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices. Cybersecurity vendor Kaspersky said it made the discovery after it came across a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor. This entails triggering the zero-day exploit simply upon visiting a fake game website ("detankzone[.]com") that was aimed at individuals in the cryptocurrency sector. The campaign is estimated to have commenced in February 2024. "On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version," Kaspersky researchers Boris Larin and Vasily Berdnikov said . "But that was just a disguise. Under the
Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Oct 23, 2024 Ransomware / Cloud Security
Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said . "However, such is not the case, and the attacker only seems to be capitalizing on LockBit's notoriety to further tighten the noose on their victims." The ransomware artifacts have been found to embed hard-coded Amazon Web Services (AWS) credentials to facilitate data exfiltration to the cloud, a sign that adversaries are increasingly weaponizing popular cloud service providers for malicious schemes. The AWS account used in the campaign is presumed to be either their own or compromised. Following responsible disclosure to the AWS security team, the identified AWS access keys and accounts
North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

Oct 20, 2024 Insider Threat / Cyber Espionage
North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks. "In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes," Secureworks Counter Threat Unit (CTU) said in an analysis published this week. "In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024." The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267 . The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea's strategic and financial interests, refers to an insider threat
Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Crypt Ghouls Targets Russian Firms with LockBit 3.0 and Babuk Ransomware Attacks

Oct 19, 2024 Network Security / Data Breach
A nascent threat actor known as Crypt Ghouls has been linked to a set of cyber attacks targeting Russian businesses and government agencies with ransomware with the twin goals of disrupting business operations and financial gain. "The group under review has a toolkit that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others," Kaspersky said . "As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk." Victims of the malicious attacks span government agencies, as well as mining, energy, finance, and retail companies located in Russia. The Russian cybersecurity vendor said it was able to pinpoint the initial intrusion vector in only two instances, with the threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN. The VPN connections are said to have originated from IP addresses associated with a Russian hosting provider'
Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant

Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant

Oct 17, 2024 Threat Intelligence / Malware
The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023. The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), said Cisco Talos, which is monitoring the activity cluster under the moniker UAT-5647. "This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader," security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura noted . RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-motivational operations such as ransomware, extortion, and targeted credential gathering since its emergence in 2022. It's been assessed that the operational tempo of their attacks has increased in recent months with an aim to set up long-term persisten
Researchers Uncover Cicada3301 Ransomware Operations and Its Affiliate Program

Researchers Uncover Cicada3301 Ransomware Operations and Its Affiliate Program

Oct 17, 2024 Ransomware / Network Security
Cybersecurity researchers have gleaned additional insights into a nascent ransomware-as-a-service (RaaS) called Cicada3301 after successfully gaining access to the group's affiliate panel on the dark web. Singapore-headquartered Group-IB said it contacted the threat actor behind the Cicada3301 persona on the RAMP cybercrime forum via the Tox messaging service after the latter put out an advertisement, calling for new partners into its affiliate program. "Within the dashboard of the Affiliates' panel of Cicada3301 ransomware group contained sections such as Dashboard, News, Companies, Chat Companies, Chat Support, Account, an FAQ section, and Log Out," researchers Nikolay Kichatov and Sharmine Low said in a new analysis published today. Cicada3301 first came to light in June 2024, with the cybersecurity community uncovering strong source code similarities with the now-defunct BlackCat ransomware group. The RaaS scheme is estimated to have compromised no less th
Expert Insights / Articles Videos
Cybersecurity Resources