#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

ransomware | Breaking Cybersecurity News | The Hacker News

Researchers Share In-Depth Analysis of PYSA Ransomware Group

Researchers Share In-Depth Analysis of PYSA Ransomware Group

Apr 18, 2022
An 18-month-long analysis of the PYSA ransomware operation has revealed that the cybercrime cartel followed a five-stage software development cycle from August 2020, with the malware authors prioritizing features to improve the efficiency of its workflows. This included a user-friendly tool like a full-text search engine to facilitate the extraction of metadata and enable the threat actors to find and access victim information quickly. "The group is known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data," Swiss cybersecurity company PRODAFT  said  in an exhaustive report published last week. PYSA, short for "Protect Your System, Amigo" and a successor to the Mespinoza ransomware, was first observed in December 2019 and has emerged as the third most prevalent ransomware strain detected during the fourth quarter of 2021. Since September 2020,
Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity

Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity

Apr 08, 2022
Cybersecurity researchers have uncovered further links between BlackCat (aka ALPHV) and BlackMatter ransomware families, the former of which emerged as a replacement following international scrutiny last year. "At least some members of the new  BlackCat  group have links to the BlackMatter group, because they modified and reused a custom exfiltration tool [...] and which has only been observed in BlackMatter activity," Kaspersky researchers  said  in a new analysis. The tool, dubbed Fendr, has not only been upgraded to include more file types but also used by the gang extensively to steal data from corporate networks in December 2021 and January 2022 prior to encryption, in a popular tactic called double extortion. The findings come less than a month after Cisco Talos researchers  identified  overlaps in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, describing the new ransomware variant as a case of "vertical business expansion.&qu
How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

Mar 21, 2024SaaS Security / Endpoint Security
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the  SaaS supply chain  snowball quickly. That's why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity. Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorte
FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks

FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks

Apr 05, 2022
The notorious cybercrime group known as FIN7 has diversified its initial access vectors to incorporate software supply chain compromise and the use of stolen credentials, new research has revealed. "Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time," incident response firm Mandiant  said  in a Monday analysis. The cybercriminal group, since its emergence in the mid-2010s, has gained notoriety for large-scale malware campaigns targeting the point-of-sale (POS) systems aimed at restaurant, gambling, and hospitality industries with credit card-stealing malware. FIN7's shift in monetization strategy towards ransomware follows an October 2021 report from Recorded Future's Gemini Advisory unit, which  found  the adversary setting up a fake front company named Bastion Secure to recruit unwitt
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
New Python-based Ransomware Targeting JupyterLab Web Notebooks

New Python-based Ransomware Targeting JupyterLab Web Notebooks

Mar 31, 2022
Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. "The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack," Assaf Morag, a data analyst at Aqua Security,  said  in a report. The new ransomware sample, which the cloud security firm detected after it was trapped in one of its honeypot servers, is said to have been executed after the unnamed adversary gained access to the server and downloaded the necessary tools required to carry out the encryption process by opening a terminal. Aqua Security characterized the attack as "simple and straightforward," unlike other traditional ransomware-as-a-service (RaaS) schemes, add
Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware

Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware

Mar 18, 2022
An analysis of two ransomware attacks has  identified overlaps  in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, indicating a strong connection between the two groups. While it's typical of ransomware groups to rebrand their operations in response to increased visibility into their attacks,  BlackCat  (aka Alphv) marks a new frontier in that the cyber crime cartel is built out of affiliates of other ransomware-as-a-service (RaaS) operations. BlackCat first emerged in November 2021 and has since targeted several organizations worldwide over the past few months. It has been called out for being similar to  BlackMatter , a short-lived ransomware family that originated from  DarkSide , which, in turn, attracted notoriety for its high-profile attack on  Colonial Pipeline  in May 2021. In an interview with Recorded Future's The Record last month, a BlackCat representative dismissed speculations that it's a rebranding of BlackMatter, while n
Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang

Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang

Mar 18, 2022
Google's Threat Analysis Group (TAG) took the wraps off a new  initial access broker  that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations. Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ( CVE-2021-40444 ) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally. "Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job," TAG researchers Vlad Stolyarov and Benoit Sevens  said . "These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid." Exotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the
Nearly 34 Ransomware Variants Observed in Hundreds of Cyberattacks in Q4 2021

Nearly 34 Ransomware Variants Observed in Hundreds of Cyberattacks in Q4 2021

Mar 15, 2022
As many as 722 ransomware attacks were observed during the fourth quarter of 2021, with LockBit 2.0, Conti, PYSA, Hive, and Grief emerging as the most prevalent strains, according to new research published by Intel 471. The attacks mark an increase of 110 and 129 attacks from the third and second quarters of 2021, respectively. In all, 34 different ransomware variants were detected during the three-month-period between October and December 2021. "The most prevalent ransomware strain in the fourth quarter of 2021 was LockBit 2.0, which was responsible for 29.7% of all reported incidents, followed by Conti at 19%, PYSA at 10.5%, and Hive at 10.1%," the researchers said in a report shared with The Hacker News. Some of the most impacted sectors during the quarterly period were consumer and industrial products; manufacturing; professional services and consulting; real estate; life sciences and health care; technology, media and telecommunications; energy, resources and agric
Ukrainian Hacker Linked to REvil Ransomware Attacks Extradited to United States

Ukrainian Hacker Linked to REvil Ransomware Attacks Extradited to United States

Mar 10, 2022
Yaroslav Vasinskyi , a Ukrainian national, linked to the Russia-based  REvil ransomware group  has been extradited to the U.S. to face charges for his role in carrying out the file-encrypting malware attacks against several companies, including Kaseya last July. The 22-year-old had been previously arrested in Poland in October 2021, prompting the U.S. Justice Department (DoJ) to  file charges  of conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. Ransomware is the digital equivalent of extortion wherein cybercrime actors encrypt victims' data and take it hostage in return for a monetary payment to recover the data, failing which the stolen information is published online or sold to other third-parties. According to the DoJ, in addition to the headline-grabbing attacks on JBS and Kaseya, REvil is said to have propagated its infection to more than 175,000 computers, netting the
Second New 'IsaacWiper' Data Wiper Targets Ukraine After Russian Invasion

Second New 'IsaacWiper' Data Wiper Targets Ukraine After Russian Invasion

Mar 01, 2022
A new data wiper malware has been observed deployed against an unnamed Ukrainian government network, a day after destructive cyber attacks struck multiple entities in the country preceding the start of Russia's military invasion. Slovak cybersecurity firm ESET dubbed the new malware " IsaacWiper ," which it said was detected on February 24 in an organization that was not affected by  HermeticWiper  (aka FoxBlade), another data wiping malware that targeted several organizations on February 23 as part of a sabotage operation aimed at rendering the machines unusable. Further analysis of the HermeticWiper attacks, which infected at least five Ukrainian organizations, have revealed a worm constituent that propagates the malware across the compromised network and a ransomware module that acts as a "distraction from the wiper attacks," corroborating a  prior report  from Symantec. "These destructive attacks leveraged at least three components: HermeticWiper f
Conti Ransomware Gang's Internal Chats Leaked Online After Siding With Russia

Conti Ransomware Gang's Internal Chats Leaked Online After Siding With Russia

Mar 01, 2022
Days after the Conti ransomware group broadcasted a pro-Russian message pledging its allegiance to Vladimir Putin's ongoing invasion of Ukraine, an anonymous security researcher using the Twitter handle @ContiLeaks has leaked the syndicate's internal chats. The file dump, published by malware research group  VX-Underground , is said to contain 13 months of chat logs between affiliates and administrators of the Russia-affiliated ransomware group from June 2020 to February 2022, in a move that's expected to offer  unprecedented   insight  into the criminal enterprise's inner workings. "Glory to Ukraine," the leaker said in their message. The shared conversations show that Conti used fake front companies to attempt to schedule product demos with security firms like CarbonBlack and Sophos to obtain code signing certificates, with the operators working in scrum sprints to complete the software development tasks. Additionally, the messages  confirm  the  shu
Warning — Deadbolt Ransomware Targeting ASUSTOR NAS Devices

Warning — Deadbolt Ransomware Targeting ASUSTOR NAS Devices

Feb 24, 2022
ASUSTOR network-attached storage (NAS) devices have become the  latest   victim  of Deadbolt ransomware, less than a month after similar attacks singled out  QNAP NAS appliances . In response to the infections, the company has released firmware updates ( ADM 4.0.4.RQO2 ) to "fix related security issues." The company is also urging users to take the following actions to keep data secure – Change your password Use a strong password Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively Change web server ports (Default ports are 80 and 443) Turn off Terminal/SSH and SFTP services and other services you do not use, and Make regular backups and ensure backups are up to date The attacks primarily affect internet-exposed ASUSTOR NAS models running ADM operating systems including, but not limited to, AS5104T, AS5304T, AS6404T, AS7004T, AS5202T, AS6302T, and AS1104T.  Much like the intrusions targeting QNAP NAS devices, the threat actors claim t
Dridex Malware Deploying Entropy Ransomware on Hacked Computers

Dridex Malware Deploying Entropy Ransomware on Hacked Computers

Feb 23, 2022
Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy , suggesting that the operators are continuing to rebrand their extortion operations under a different name. "The similarities are in the software packer used to conceal the ransomware code, in the malware subroutines designed to find and obfuscate commands (API calls), and in the subroutines used to decrypt encrypted text," cybersecurity firm Sophos  said  in a report shared with The Hacker News. The commonalities were uncovered following two unrelated incidents targeting an unnamed media company and a regional government agency. In both cases, the deployment of Entropy was preceded by infecting the target networks with Cobalt Strike Beacons and Dridex, granting the attackers remote access. Despite consistency in some aspects of the twin attacks, they also varied significantly with regards to the initial access vector used to worm their way ins
A Free Solution to Protect Your Business from 6 Biggest Cyber Threats in 2022

A Free Solution to Protect Your Business from 6 Biggest Cyber Threats in 2022

Feb 21, 2022
For the last few years, the cybersecurity threat landscape has gotten progressively more complex and dangerous. The online world is now rife with data thieves, extortionists, and even state actors looking to exploit vulnerabilities in businesses' digital defenses.  And unfortunately — the bad guys have the upper hand at the moment. Part of the reason for that is the fallout from the rapid digitization made necessary by the COVID-19 pandemic. According to research on the subject,  more than half of businesses  have yet to mitigate the risks created by that digitization. And when you add a persistent shortage of cybersecurity workers to that fact, you have the makings of a scary situation. But businesses aren't helpless. There are plenty of things they can do to augment their defenses as they look to mitigate cyber risks. And best of all, some of those options won't cost them a thing. A great example of that is the open-source security platform  Wazuh . It offers busines
Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm

Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm

Feb 20, 2022
Researchers have detailed what they call the "first successful attempt" at decrypting data infected with Hive ransomware without relying on the private key used to lock access to the content. "We were able to recover the master key for generating the file encryption key without the attacker's private key, by using a cryptographic vulnerability identified through analysis," a group of academics from South Korea's Kookmin University  said  in a new paper dissecting its encryption process. Hive, like other cybercriminal groups, operates a ransomware-as-a-service that uses different mechanisms to compromise business networks, exfiltrate data, and encrypt data on the networks, and attempts to collect a ransom in exchange for access to the decryption software. It was  first observed  in June 2021, when it struck a company called Altus Group. Hive leverages a variety of initial compromise methods, including vulnerable RDP servers, compromised VPN credentials,
Justice Department Appoints First Director of National Cryptocurrency Enforcement Team

Justice Department Appoints First Director of National Cryptocurrency Enforcement Team

Feb 19, 2022
The U.S. Department of Justice (DoJ) earlier this week appointed Eun Young Choi to serve as the first Director of the National Cryptocurrency Enforcement Team (NCET) it established last year. The NCET was  created  to tackle the criminal misuse of cryptocurrencies and digital assets," with a focus on illegal activities in virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors to fuel cyberattacks and ransomware and extortion schemes. "The NCET will serve as the focal point for the department's efforts to tackle the growth of crime involving [digital assets and distributed ledger] technologies,"  said  Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department's Criminal Division. Separately, the Federal Bureau of Investigation (FBI) said it's  launching  a new effort of its own called the Virtual Asset Exploitation Unit (VAXU) dedicated to tracking and seizing illicit cryptocurrencies as part o
CISA, FBI, NSA Issue Advisory on Severe Increase in Ransomware Attacks

CISA, FBI, NSA Issue Advisory on Severe Increase in Ransomware Attacks

Feb 10, 2022
Image Source: TechPrivacy Cybersecurity authorities from Australia, the U.K., and the U.S. have published a joint advisory warning of an increase in sophisticated, high-impact ransomware attacks targeting critical infrastructure organizations across the world in 2021. The incidents singled out a broad range of sectors, including defense, emergency services, agriculture, government facilities, IT, healthcare, financial services, education, energy, charities, legal institutions, and public services. "Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors' growing technological sophistication and an increased ransomware threat to organizations globally," the agencies  said  in the  joint bulletin . Spear-phishing, stolen or brute-forced Remote Desktop Protocol (RDP) credentials, and exploitation of software flaws emerged as the top three initial infection vectors that were used to deploy ransomware on compromised netwo
Hacker Group 'Moses Staff' Using New StrifeWater RAT in Ransomware Attacks

Hacker Group 'Moses Staff' Using New StrifeWater RAT in Ransomware Attacks

Feb 02, 2022
A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff, dubbed the malware " StrifeWater ." "The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group's tracks," Tom Fakterman, Cybereason security analyst,  said  in a report. "The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions." Moses Staff came to light towards the end of last year when Check Point Research  unmasked  a series of attacks aimed at Israeli or
Cybersecurity Resources