The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: ransomware

Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations

Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations

May 12, 2021Ravie Lakshmanan
The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data if their ransom demands are not met. "The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data," the gang said in a statement on their data leak site. "You still have the ability to stop it," it added. The Babuk group is said to have  stolen 250GB of data , including investigation reports, arrests, disciplinary actions, and other intelligence briefings. Like other ransomware platforms, DarkSide adheres to a practice called double extortion, which involves demanding money in return for unlocking files and servers en
U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyber Attack

U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyber Attack

May 11, 2021Ravie Lakshmanan
The ransomware attack  against Colonial Pipeline's networks has prompted the U.S. Federal Motor Carrier Safety Administration (FMCSA) to issue a  regional emergency declaration  in 17 states and the District of Columbia (D.C.). The declaration provides a temporary exemption to Parts 390 through 399 of the Federal Motor Carrier Safety Regulations ( FMCSRs ), allowing alternate transportation of gasoline, diesel, and refined petroleum products to address supply shortages stemming from the attack. "Such [an] emergency is in response to the unanticipated shutdown of the Colonial pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the Affected States," the directive said. "This Declaration addresses the emergency conditions creating a need for immediate transportation of gasoline, diesel, jet fuel, and other refined petroleum products and provides necessary relief." The states
Ransomware Cyber Attack Forced the Largest U.S. Fuel Pipeline to Shut Down

Ransomware Cyber Attack Forced the Largest U.S. Fuel Pipeline to Shut Down

May 09, 2021Ravie Lakshmanan
Colonial Pipeline , which carries 45% of the fuel consumed on the U.S. East Coast, on Saturday said it halted operations due to a ransomware attack,  once again demonstrating  how infrastructure is vulnerable to cyber attacks. "On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack," the company  said  in a statement posted on its website. "We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems." Colonial Pipeline is the largest refined products pipeline in the U.S., a 5,500 mile (8,851 km) system involved in transporting over 100 million gallons from the Texas city of Houston to New York Harbor. Cybersecurity firm FireEye's Mandiant incident response division is said to be assisting with the investigation, according to reports from  Bloomberg
Researchers Uncover Iranian State-Sponsored Ransomware Operation

Researchers Uncover Iranian State-Sponsored Ransomware Operation

May 03, 2021Ravie Lakshmanan
Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis. "Iran's Islamic Revolutionary Guard Corps ( IRGC ) was operating a state-sponsored ransomware campaign through an Iranian contracting company called 'Emen Net Pasargard' (ENP)," cybersecurity firm Flashpoint  said  in its findings summarizing three documents leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel. Dubbed "Project Signal," the initiative is said to have kickstarted sometime between late July 2020 and early September 2020, with ENP's internal research organization, named the "Studies Center," putting together a list of unspecified target websites. A second spreadsheet validated by Flashpoint explicitly spelled out the project's financial motivations, with plans to launch the ransomware operations in late
Hackers Exploit SonicWall Zero-Day Bug in FiveHands Ransomware Attacks

Hackers Exploit SonicWall Zero-Day Bug in FiveHands Ransomware Attacks

April 30, 2021Ravie Lakshmanan
An "aggressive" financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS. The group, tracked by cybersecurity firm Mandiant as UNC2447, took advantage of an "improper SQL command neutralization" flaw in the SSL-VPN SMA100 product ( CVE-2021-20016 , CVSS score 9.8) that allows an unauthenticated attacker to achieve remote code execution. "UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant researchers  said . "UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics." CVE-2021-20016 is the same  zero-day  that the
Hackers Threaten to Leak D.C. Police Informants' Info If Ransom Is Not Paid

Hackers Threaten to Leak D.C. Police Informants' Info If Ransom Is Not Paid

April 27, 2021Ravie Lakshmanan
The Metropolitan Police Department (MPD) of the District of Columbia has become the latest high-profile government agency to fall victim to a ransomware attack. The Babuk Locker gang claimed in a post on the dark web that they had compromised the DC Police's networks and stolen 250 GB of unencrypted files. Screenshots shared by the group, and seen by The Hacker News, include various folders containing what appears to be investigation reports, arrests, disciplinary actions, and other intelligence briefings. Also called the DC Police, the MPD is the primary law enforcement agency for the District of Columbia in the U.S. The ransomware gang has given the department three days to heed to their ransom demand or risk leaking sensitive files that could expose police informants to criminal gangs. "Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as p
New QNAP NAS Flaws Exploited In Recent Ransomware Attacks - Patch It!

New QNAP NAS Flaws Exploited In Recent Ransomware Attacks - Patch It!

April 23, 2021Ravie Lakshmanan
A new ransomware strain called " Qlocker " is targeting QNAP network attached storage (NAS) devices as part of an ongoing campaign and encrypting files in password-protected 7zip archives. First reports of the  infections   emerged on April 20, with the adversaries behind the operations demanding a bitcoin payment (0.01 bitcoins or about $500.57) to receive the decryption key. In response to the ongoing attacks, the Taiwanese company has released an advisory prompting users to apply updates to QNAP NAS running Multimedia Console, Media Streaming Add-on, and HBS 3 Hybrid Backup Sync to secure the devices from any attacks. "QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS," the company  said . "The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks."
Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets

Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets

April 08, 2021Ravie Lakshmanan
Unpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called "Cring" inside corporate networks. At least one of the hacking incidents led to the temporary shutdown of a production site, said cybersecurity firm Kaspersky in a report published on Wednesday, without publicly naming the victim. The attacks happened in the first quarter of 2021, between January and March. "Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,"  said  Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT. The disclosure comes days after the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)  warned  of advanced persistent threat (APT) actor
Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers

Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers

March 25, 2021Ravie Lakshmanan
More than a week after Microsoft released a  one-click mitigation tool  to mitigate cyberattacks targeting on-premises Exchange servers, the company  disclosed  that patches have been applied to 92% of all internet-facing servers affected by the ProxyLogon vulnerabilities. The development, a 43% improvement from the previous week, caps off a whirlwind of espionage and malware campaigns that hit thousands of companies worldwide, with as many as 10 advanced persistent threat (APT) groups opportunistically moving quickly to exploit the bugs. According to telemetry data from RiskIQ, there are roughly 29,966 instances of Microsoft Exchange servers still exposed to attacks, down from 92,072 on March 10. While Exchange servers were under assault by multiple Chinese-linked state-sponsored hacking groups prior to  Microsoft's patch  on March 2, the release of  public proof-of-concept  exploits fanned a feeding frenzy of infections, opening the door for escalating attacks like ransomwar
Hackers Are Targeting Microsoft Exchange Servers With Ransomware

Hackers Are Targeting Microsoft Exchange Servers With Ransomware

March 12, 2021Ravie Lakshmanan
It didn't take long. Intelligence agencies and cybersecurity researchers had been warning that unpatched Exchange Servers could open the pathway for ransomware infections in the wake of swift escalation of the attacks since last week. Now it appears that threat actors have caught up.  According to the latest reports , cybercriminals are leveraging the heavily exploited ProxyLogon Exchange Server flaws to install a new strain of ransomware called "DearCry." "Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A," Microsoft researcher Phillip Misner  tweeted . "Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers." Microsoft's security intelligence team, in a separate tweet,  confirmed  that it has begun "blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers.&q
Researchers Unearth Links Between SunCrypt and QNAPCrypt Ransomware

Researchers Unearth Links Between SunCrypt and QNAPCrypt Ransomware

March 02, 2021Ravie Lakshmanan
SunCrypt, a ransomware strain that went on to infect several targets last year, may be an updated version of the QNAPCrypt ransomware, which targeted Linux-based file storage systems, according to new research. "While the two ransomware [families] are operated by distinct different threat actors on the dark web, there are strong technical connections in code reuse and techniques, linking the two ransomware to the same author,"  Intezer Lab  researcher Joakim Kennedy said in a malware analysis published today revealing the attackers' tactics on the dark web. First identified in July 2019,  QNAPCrypt  (or  eCh0raix ) is a ransomware family that was found to target Network Attached Storage (NAS) devices from Taiwanese companies QNAP Systems and Synology. The devices were compromised by brute-forcing weak credentials and exploiting known vulnerabilities with the goal of encrypting files found in the system. The ransomware has since been tracked to a Russian cybercrime
Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

March 01, 2021Ravie Lakshmanan
A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads. "The  Gootkit  malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt  said  in a write-up published today. "In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself." Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S. First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft. Over the years, the
Everything You Need to Know About Evolving Threat of Ransomware

Everything You Need to Know About Evolving Threat of Ransomware

February 24, 2021The Hacker News
The cybersecurity world is constantly evolving to new forms of threats and vulnerabilities. But ransomware proves to be a different animal—most destructive, persistent, notoriously challenging to prevent, and is showing no signs of slowing down. Falling victim to a ransomware attack can cause significant data loss, data breach, operational downtime, costly recovery, legal consequences, and reputational damage. In this story, we have covered everything you need to know about ransomware and how it works. What is ransomware? Ransomware is a malicious program that gains control over the infected device, encrypts files, and blocks user access to the data or a system until a sum of money, or ransom, is paid. Crooks' scheme includes a ransom note—with amount and instructions on how to pay a ransom in return for the decryption key—or direct communication with the victim. While ransomware impacts businesses and institutions of every size and type, attackers often target healthcare, e
Authorities Seize Dark-Web Site Linked to the Netwalker Ransomware

Authorities Seize Dark-Web Site Linked to the Netwalker Ransomware

January 28, 2021Ravie Lakshmanan
U.S. and Bulgarian authorities this week took control of the dark web site used by the NetWalker ransomware cybercrime group to publish data stolen from its victims. "We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,"  said  Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department's Criminal Division. "Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today's multi-faceted operation." In connection with the takedown, a Canadian national named Sebastien Vachon-Desjardins from the city of Gatineau was charged in the U.S. state of Florida for extorting $27.6 million in cryptocurrency from ransom payments. Separately, the
Intel Adds Hardware-Enabled Ransomware Detection to 11th Gen vPro Chips

Intel Adds Hardware-Enabled Ransomware Detection to 11th Gen vPro Chips

January 13, 2021Ravie Lakshmanan
Intel and Cybereason have partnered to build anti-ransomware defenses into the chipmaker's newly announced 11th generation Core  vPro  business-class processors. The hardware-based security enhancements are baked into Intel's vPro platform via its  Hardware Shield  and  Threat Detection Technology  (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU performance. "The joint solution represents the first instance where PC hardware plays a direct role in ransomware defenses to better protect enterprise endpoints from costly attacks," Cybereason  said . Exclusive to vPro, Intel Hardware Shield provides protections against firmware-level attacks targeting the  BIOS , thereby ensuring that the operating system (OS) runs on legitimate hardware as well as minimizing the risk of malicious code injection by locking down memory in the BIOS when the software is running to help prevent planted malware from compromising the OS
Healthcare Industry Witnessed 45% Spike in Cyber Attacks Since Nov 20

Healthcare Industry Witnessed 45% Spike in Cyber Attacks Since Nov 20

January 05, 2021Ravie Lakshmanan
Cyberattacks targeting healthcare organizations have spiked by 45% since November 2020 as COVID-19 cases continue to increase globally. According to a new report published by Check Point Research today and shared with The Hacker News, this increase has made the sector the most targeted industry by cybercriminals when compared to an overall 22% increase in cyberattacks across all industry sectors worldwide seen during the same time period. The average number of weekly attacks in the healthcare sector reached 626 per organization in November as opposed to 430 the previous month, with attack vectors ranging from ransomware, botnets, remote code execution, and distributed denial-of-service (DDoS) attacks. Ransomware attacks against hospitals also marked their biggest jump, with  Ryuk  and Sodinokibi emerging as the primary ransomware variants employed by various criminal groups. "The usage of Ryuk emphasizes the trend of having more targeted and tailored ransomware attacks rath
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.