ransomware | Breaking Cybersecurity News | The Hacker News

An Iranian advanced persistent threat (APT) actor known as  Agrius  has been attributed as behind a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper, referred to as Fantasy by ESET, is believed to have been delivered via a supply-chain attack targeting an Israeli software suite developer as part of a campaign that began in February 2022. Victims include HR firms, IT consulting companies, and a diamond wholesaler in Israel; a South African entity working in the diamond industry; and a jeweller based in Hong Kong. "The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did, ESET researcher Adam Burgher  disclosed  in a Wednesday analysis. "Instead, it goes right to work wiping data." Apostle was  first documented  by SentinelOne in May 2021 as a wiper-turned-ransomware that was deployed in destructive attacks ag

The Vice Society cybercrime group has disproportionately targeted educational institutions, accounting for 33 victims in 2022 and surpassing other ransomware families like LockBit, BlackCat, BianLian, and Hive. Other prominent industry verticals targeted include healthcare, governments, manufacturing, retail, and legal services, according to an  analysis of leak site data  by Palo Alto Networks Unit 42. The cybersecurity company called Vice Society one of the "most impactful ransomware gangs of 2022." Of the 100 organizations affected in total, 35 cases have been reported from the U.S., followed by 18 in the U.K., seven in Spain, six each in Brazil and France, four each in Germany and Italy, and three cases in Australia. Active since May 2021, Vice Society stands apart from other ransomware crews in that it does not use a ransomware variant of its own, rather relying on pre-existing ransomware binaries such as HelloKitty and Zeppelin that are sold on underground forums.

Ransomware attacks keep increasing in volume and impact largely due to organizations' weak security controls. Mid-market companies are targeted as they possess a significant amount of valuable data but lack the level of protective controls and staffing of larger organizations. According to a recent RSM survey, 62% of mid-market companies believe they are at risk of ransomware in the next 12 months. Cybersecurity leaders' sentiment is somewhere on the spectrum between "top-of-mind" to "this gives me serious migraines." As ransomware is still the preferred way for actors to monetize their access, there's a dire need to understand organizational levels of preparedness, and to identify and remediate gaps before an attacker can exploit them. Lean cybersecurity teams can quickly gauge their ransomware readiness by following the NIST CSF framework, asking themselves, "Do we have something like this in place?" for each of the core functions: "

A version of an open source ransomware toolkit called  Cryptonite  has been observed in the wild with wiper capabilities due to its "weak architecture and programming." Cryptonite , unlike other ransomware strains, is not available for sale on the cybercriminal underground, and was instead offered for free by an actor named CYBERDEVILZ until recently through a GitHub repository. The source code and its forks have since been taken down. Written in Python, the malware employs the  Fernet module  of the cryptography package to encrypt files with a ".cryptn8" extension. But a  new sample  analyzed by Fortinet FortiGuard Labs has been found to lock files with no option to decrypt them back, essentially acting as a destructive data wiper. But this change isn't a deliberate act on part of the threat actor, but rather stems from a lack of quality assurance that causes the program to crash when attempting to display the ransom note after completing the encryption p

A new data wiper malware called  CryWiper  has been found targeting Russian government agencies, including mayor's offices and courts. "Although it disguises itself as a ransomware and extorts money from the victim for 'decrypting' data, [it] does not actually encrypt, but purposefully destroys data in the affected system," Kaspersky researchers Fedor Sinitsyn and Janis Zinchenko  said  in a write-up. Additional details of the attacks were shared by the Russian-language news publication  Izvestia . The intrusions have not been attributed to a specific adversarial group so far. A C++-based malware, CryWiper is configured to establish persistence via a scheduled task and communicate with a command-and-control (C2) server to initiate the malicious activity. Besides terminating processes related to database and email servers, the malware is equipped with capabilities to delete shadow copies of files and modify the Windows Registry to prevent RDP connections in a