What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-03-10 16:30:00 | IceFire Ransomware Targets Linux Enterprise Networks (lien direct) | The campaign leveraged the exploitation of a flaw in IBM's Aspera Faspex file-sharing software | Ransomware | ★★ | |
 |
2023-03-10 12:00:00 | Ransomware tracker: the latest figures [March 2023] (lien direct) |
* Note: this Ransomware Tracker is updated on the 10th day of each month to stay current * Unlike past years, cybercriminals didn't take a break over the winter holidays. The number of victims posted on ransomware extortion sites rose more than 20% in December to 241 organizations - the highest monthly count since April, |
Ransomware | ★★ | |
 |
2023-03-10 11:30:18 | Blackbaud to pay $3M for misleading ransomware attack disclosure (lien direct) | Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers. [...] | Ransomware Cloud | ★★ | |
 |
2023-03-09 21:47:10 | IceFire Ransomware Portends a Broader Shift From Windows to Linux (lien direct) | IceFire has changed up its OS target in recent cyberattacks, emblematic of ransomware actors increasingly targeting Linux enterprise networks, despite the extra work involved. | Ransomware | ★★ | |
 |
2023-03-09 21:19:11 | New Rise In ChatGPT Scams Reported By Fraudsters (lien direct) | Since the release of ChatGPT, the cybersecurity company Darktrace has issued a warning, claiming that a rise in criminals utilizing artificial intelligence to craft more intricate schemes to defraud employees and hack into organizations has been observed. The Cambridge-based corporation said that AI further enabled “hacktivist” cyberattacks employing ransomware to extract money from businesses. The […] | Ransomware Hack | ChatGPT ChatGPT | ★★ |
|
2023-03-09 20:41:03 | Medusa Gang Video Shows Minneapolis School District\'s Ransomed Data (lien direct) | Much like a hostage's proof-of-life video, the ransomware gang offers the film as verification that it has the goods, and asks $1 million for the data. | Ransomware | ★★ | |
|
2023-03-09 20:15:00 | Canadian military: Ransomware attack on contractor didn\'t touch defense systems (lien direct) |
Canada's defense department confirmed Thursday that its systems were not affected by a ransomware attack on engineering giant Black & McDonald. Black & McDonald did not respond to repeated requests for comment, but a spokesperson for Canada's Department of National Defence told The Record that it was aware of a ransomware attack on the company. |
Ransomware | ★★★ | |
 |
2023-03-09 19:31:00 | IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks (lien direct) | A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8), according to | Ransomware Vulnerability | ★★★ | |
 |
2023-03-09 16:51:41 | IceFire ransomware returns: Now targeting Linux enterprise networks (lien direct) | IceFire ransomware returns: Now targeting Linux enterprise networks - Malware Update | Ransomware | ★★ | |
|
2023-03-09 16:02:20 | 76 % des vulnérabilités actuellement exploitées par les groupes-pirates usant de ransomwares ont été découvertes avant 2020, d\'après le Ransomware Report Ivanti (lien direct) | 76 % des vulnérabilités actuellement exploitées par les groupes-pirates usant de ransomwares ont été découvertes avant 2020, d'après le Ransomware Report Ivanti. Cette enquête commune de Cyber Security Works, Ivanti, Cyware et Securin identifie, entre autres, 56 nouvelles vulnérabilités associées aux ransomwares, soit un total de 344 menaces de ransomware fin 2022. - Investigations | Ransomware | ★★★ | |
 |
2023-03-09 13:58:50 | Retourne du ransomware de feu sur glace |Ciblant maintenant Linux Enterprise Networks IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks (lien direct) |
La nouvelle version Linux du Ransomware de feu glacé a été observée dans les récentes intrusions de réseaux de médias et de divertissement.
New Linux version of the IceFire ransomware have been observed in recent network intrusions of media and entertainment enterprises. |
Ransomware | ★★★ | |
 |
2023-03-09 12:21:50 | Evolution of Ransomware: So Far and Hereafter (lien direct) | >By SOCRadar Research Ransomware attacks have become a potential threat to all enterprises, regardless of... | Ransomware Threat | ★★★★ | |
 |
2023-03-09 00:00:00 | Examining Ransomware Payments From a Data-Science Lens (lien direct) | In this entry, we discuss case studies that demonstrated how data-science techniques were applied in our investigation of ransomware groups' ransom transactions, as detailed in our joint research with Waratah Analytics, “What Decision-Makers Need to Know About Ransomware Risk.” | Ransomware Studies | ★★★ | |
 |
2023-03-08 23:00:00 | Decryptable iswr Ransomware Being Distributed in Korea (lien direct) | ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring. A characteristic of iswr is the fact that it adds the iswr extension at the end of filenames after the files have been encrypted. The ransom note of this ransomware has the same format as the STOP ransomware, but when it comes to its encryption method along with the extensions and folders that are targeted, its operation routine differs greatly from... | Ransomware | ★★ | |
 |
2023-03-08 21:31:48 | Limited distribution: Oakland City Hall (11.7 GB) (lien direct) | Emails and files from the PLAY ransomware attack on Oakland City Hall, a large city in California with a long history of police abuses. | Ransomware | ★★ | |
 |
2023-03-08 19:23:33 | Addressing TSA\'s Aviation Security Emergency Mandates for Airlines and Airports (lien direct) | >The Department of Homeland Security (DHS) and its Transportation Security Administration (TSA) have issued a handful of sector-specific cybersecurity directives over the last eighteen months. The effort began as a response to the 2021 ransomware attack on the Colonial Pipeline, which became a catalyst for the first major security directive for pipeline owners and operators. […] | Ransomware | ★★ | |
|
2023-03-08 15:55:00 | Ransomware group says it stole student data from Minneapolis Public Schools (lien direct) |
The ransomware group behind an [attack on Minneapolis Public Schools](https://therecord.media/minneapolis-public-schools-still-investigating-what-caused-encryption-event) posted a public video allegedly showing screenshots of stolen data after the school district said it was using backups to recover from the incident. The school district – which serves about 34,500 students – faced disruptions last week after a ransomware attack damaged some systems. |
Ransomware | ★★ | |
|
2023-03-08 12:37:04 | Ransomware gang posts video of data stolen from Minneapolis schools (lien direct) | The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools (MPS) district to delete data allegedly stolen in a ransomware attack. [...] | Ransomware | ★★★ | |
|
2023-03-08 02:35:18 | ASEC Weekly Malware Statistics (February 27th, 2023 – March 5th, 2023) (lien direct) | The ASEC (AhnLab Security response Center) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 27th, 2023 (Monday) to March 5th, 2023 (Sunday). For the main category, backdoor ranked top with 51.4%, followed by Infostealer with 31.2%, downloader with 16.5%, and ransomware with 0.9%. Top 1 – RedLine RedLine ranked first place with 41.0%. The malware steals various information such as web browsers, FTP clients, cryptocurrency... | Ransomware Malware | ★★ | |
|
2023-03-08 00:00:00 | Security Patch Management Strengthens Ransomware Defense (lien direct) | With thousands of applications to manage, enterprises need an effective way to prioritize software security patches. That calls for a contextualized, risk-based approach and good overall attack surface risk management. | Ransomware | ★★ | |
|
2023-03-07 23:03:00 | GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP (lien direct) | ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. The threat actor installed various tools alongside GlobeImposter, such as Port Scanner and Mimikatz. Once installed, if these tools are able... | Ransomware Threat | ★★ | |
|
2023-03-07 19:05:00 | Acer says server for repair technicians accessed by hackers (lien direct) |
Taiwanese computer maker Acer has confirmed that it suffered a breach involving the leak of technician documents related to staff manuals, product model documentation and more.
In a statement Tuesday to The Record, the company said there is “no indication that any consumer data was stored on that server.”
“We have recently detected an incident of unauthorized access to one of our document servers for repair technicians,” the company said, noting that the investigation is ongoing.
The statement comes after someone offered 160GB of data for sale on a hacker forum that they claimed came from Acer.
The person selling the database said it had "confidential presentations,” manuals and binaries as well as information on phones, tablets and laptops. The post also says replacement digital product keys and more are included in the database.
Acer has faced several data breaches in recent years, including a headline-grabbing ransomware attack in 2021 that involved a [$50 million ransom demand](https://therecord.media/ransomware-gang-demands-50-million-from-computer-maker-acer) from the REvil cybercrime group. The attack hit the company's back-office network.
The hardware giant also suffered breaches in [2021](https://therecord.media/acer-confirms-second-security-breach-this-year) and [2012](https://www.databreaches.net/acer-india-hacked-20000-user-credentails-leaked/) that involved customer details and login information for Indian retailers and distributors as well as 20,000 user credentials.
Acer is the sixth-largest personal computer maker in the world, with a market share of roughly 6% of all global sales. The company reported [total revenue](https://www.prnewswire.com/news-releases/acer-reports-december-consolidated-revenues-at-nt-22-89-billion-up-21-1-month-on-month-301716400.html#:~:text=9%2C%202023%20%2FPRNewswire%2F%20%2D%2D,ended%20at%20NT%24275.43%20billion.) of about $9 billion in 2022. |
Ransomware | ★★★★ | |
|
2023-03-07 17:55:00 | Northern Essex Community College remains shuttered after cyberattack (lien direct) |
A Massachusetts community college has closed its doors for a second day after a cyberattack took down significant parts of its network.
Northern Essex Community College serves more than 6,000 students across Massachusetts and southern New Hampshire, with campuses in Haverhill and Lawrence.
A spokesperson for the school told The Record that they did not know if the attack was ransomware, and claimed they “do not have evidence of any personal data being compromised.” On Tuesday, the school confirmed it would not open for the day.
“The college will remain closed for business on Tuesday, March 7, 2023. We are still working through details and continuing to put protections in place. We are aiming to be operative by Wednesday, March 8, 2023,” the school [said](https://northernessex.cc/2023/03/necc-update-march-6-2023/?fbclid=IwAR3RRdDFTarOk8sFesOBBOdaJs2bR3YAnuaEsArHPpDLVQDoFuMRqCI5ktI) on a temporary website created after the cyberattack.
“All employees with a NECC laptop should cease using their laptops and are asked to bring their computers in as soon as possible and leave them in your office so that our IT team can install protection-clients and perform forensics.”
The statement adds that remote work will be suspended for the rest of the week due to issues with VPN access, but employees of the college will be required to come to their offices. Microsoft Office 365, Zoom and some web-based services are still functioning, the college said.
On Sunday, the college [said](https://northernessex.cc/2023/03/necc-announcement-mar-5-2023/) it became aware of unauthorized access to its network on or around March 1 and later noticed that several systems were no longer working.
The college contacted law enforcement and cybersecurity experts to help with an investigation. They urged students and employees to regularly change passwords and said anyone whose information may have been accessed will be contacted with guidance.
The attack is the latest in a run of incidents affecting colleges across the U.S. The year started with Massacusets-based Bristol Community College informing students that it was [struggling to recover](https://therecord.media/massachusetts-school-district-community-college-dealing-with-fallout-from-ransomware-attack) from a damaging cyberattack in late December.
Since then, Emsisoft ransomware expert Brett Callow said at least 10 colleges have been hit with ransomware or cyberattacks, including last week's attacks on colleges in Tennessee and Louisiana.
Callow noted that the number of reported ransomware incidents affecting post-secondary schools and K-12 school districts in the U.S. is slightly worse than in previous years, with 13 ransomware incidents reported by the end of February 2021 and 15 attacks [by the end of February 2022](https://www.emsisoft.com/en/blog/43258/the-state-of-ransomware-in-the-us-report-and-statistics-2022/).
“By the end of February this year, there were 19 incidents. The yearly numbers have remained very similar too, having remained within the range of 84 - 89 incidents per year since 2019,” Callow told The Record.
“It's clear that we're not getting a handle on ransomware in the education sector. In fact, the problem may even be getting worse.” |
Ransomware | ★★ | |
 |
2023-03-07 16:51:12 | CrowdStrike: Attackers focusing on cloud exploits, data theft (lien direct) | >CrowdStrike's new threat report sees a big increase in data theft activity, as attackers move away from ransomware and other malware attacks, as defense gets better, and the value of data increases. | Ransomware Malware Threat Cloud | ★★ | |
 |
2023-03-07 16:30:00 | Anomali Cyber Watch: Mustang Panda Adopted MQTT Protocol, Redis Miner Optimization Risks Data Corruption, BlackLotus Bootkit Reintroduces Vulnerable UEFI Binaries (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Cryptojacking, Phishing, Ransomware, Secure boot bypass, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
MQsTTang: Mustang Panda’s Latest Backdoor Treads New Ground with Qt and MQTT
(published: March 2, 2023)
In early 2023, China-sponsored group Mustang Panda began experimenting with a new custom backdoor dubbed MQsTTang. The backdoor received its name based on the attribution and the unique use of the MQTT command and control (C2) communication protocol that is typically used for communication between IoT devices and controllers. To establish this protocol, MQsTTang uses the open source QMQTT library based on the Qt framework. MQsTTang is delivered through spearphishing malicious link pointing at a RAR archive with a single malicious executable. MQsTTang was delivered to targets in Australia, Bulgaria, Taiwan, and likely some other countries in Asia and Europe.
Analyst Comment: Mustang Panda is likely exploring this communication protocol in an attempt to hide its C2 traffic. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Sensitive government sector workers should be educated on spearphishing threats and be wary of executable files delivered in archives.
MITRE ATT&CK: [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1583.004 - Acquire Infrastructure: Server | [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1588.002 - Obtain Capabilities: Tool | [MITRE ATT&CK] T1608.001 - Stage Capabilities: Upload Malware | [MITRE ATT&CK] T1608.002 - Stage Capabilities: Upload Tool | [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1204.002 - User Execution: Malicious File | [MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1036.004 - Masquerading: Masquerade Task Or Service | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1480 - Execution Guardrails | [MITRE ATT&CK] T1622 - Debugger Evasion | |
Ransomware Malware Tool Vulnerability Threat Medical | ★ | |
|
2023-03-07 16:30:00 | Ransomware Attack Against Barcelona Hospital Disrupts Operations (lien direct) | A Catalonia government statement attributed the attack to the threat actor known as RansomHouse | Ransomware Threat | ★★ | |
|
2023-03-07 14:40:00 | One leader for Cyber Command, NSA has \'substantial benefits,\' report says (lien direct) |
The head of U.S Cyber Command and the National Security Agency testified Tuesday that the two entities should continue to share a leader, citing the conclusions in a recent high-level review that has yet to be shared with the public.
In [written testimony](https://www.cybercom.mil/Media/News/Article/3320195/posture-statement-of-general-paul-m-nakasone/) to a Senate panel, Army Gen. Paul Nakasone directly quoted the review of the “dual hat” leadership structure, which has existed since Cyber Command was established in 2010.
The report found “'substantial benefits that present compelling evidence for retaining the existing structure,'” according to Nakasone, who took over both organizations in 2018. Momentum for splitting the roles increased during the Trump administration.
The Record first reported that the Biden administration had tapped former Joint Chiefs of Staff Chairman Joseph F. Dunford Jr. to lead the review. The team [concluded without a policy recommendation](https://therecord.media/review-of-nsa-cyber-command-leadership-structure-ends-without-official-recommendation) on maintaining or splitting the arraignment, but it leaned heavily toward keeping the two conjoined, despite long-held concerns that the positions are too much for a single person.
Nakasone also wrote that the review “highlighted” CYBERCOM and NSA's work defending U.S. elections from foreign interference, fighting ransomware operators and bolstering the military's other combatant commands as reasons to keep the two together.
Nakasone, one of Cyber Command's original architects, said publicly last year that he met with Dunford's study group and “had an opportunity to share my views.”
“Success in protecting the national security of the United States in cyberspace would be more costly and less decisive with two separate organizations under two separate leaders,” Nakasone wrote in his testimony for the Senate Armed Services Committee.
“The enduring relationship is vital for both organizations to meet the strategic challenges of our adversaries as they mature their capabilities against the United States,” he added.
|
Ransomware Guideline | ★★★ | |
|
2023-03-07 13:49:23 | Hospital Clínic de Barcelona severely impacted by ransomware attack (lien direct) | The Hospital Clínic de Barcelona suffered a ransomware attack on Sunday morning, severely disrupting its healthcare services after the institution's virtual machines were targeted by the attacks. [...] | Ransomware | ★★ | |
|
2023-03-07 13:05:00 | Israel blames state-sponsored Iranian hackers for ransomware attack on university (lien direct) |
Israeli cybersecurity officials on Tuesday blamed hackers sponsored by the Iranian government for a ransomware attack on the country's leading technology university.
The attack in February forced the Israel Institute of Technology, also known as Technion, to postpone exams and shut down its IT systems. The incident followed what Israeli defense officials said were dozens of attempted Iranian cyberattacks over the past year.
Hackers from a previously unknown group calling itself DarkBit claimed responsibility in a note left on Technion's systems demanding 80 bitcoins ($1.7 million at the time) to enable the university to recover its files.
The note was unusually ideological, criticizing “an apartheid regime” and stating: “They should pay for their lies and crimes, their names and shames. They should pay for occupation, war crimes against humanity, killing the people (not only Palestinians' bodies, but also Israelis' souls) and destroying the future and all dreams we had.”
Israel's National Cyber Directorate on Tuesday attributed the attack to a threat group tracked as MuddyWater, which last year U.S. Cyber Command linked to the Iranian Ministry of Intelligence and Security.
British and American authorities subsequently issued a warning about the hacking group, saying it was targeting a “range of government and private-sector organizations across sectors - including telecommunications, defense, local government, and oil and natural gas - in Asia, Africa, Europe, and North America.”
While Israel and Iran have never been in a declared war against each other, the countries have repeatedly blamed each other for cyberattacks targeting civilian infrastructure, including a steel plant in Iran. Iranian hackers have been blamed for attacks on water systems in Israel.
The attack on the university in Haifa is not the first time that Iranian state-sponsored hackers have been linked to ransomware incidents. A French-Venezuelan cardiologist called Moises Luis Zagala Gonzalez was charged by the U.S. Department of Justice last year with developing the Thanos ransomware and allegedly boasting about it being used by Iranian government-linked hackers.
Another advisory issued in 2022 by cyber authorities in the United Kingdom, United States, Australia and Canada - members of the Five Eyes intelligence alliance - warned that “cyber actors affiliated with Iran's Islamic Revolutionary Guard Corps are exploiting vulnerabilities to launch ransomware operations against multiple sectors.” |
Ransomware Threat Guideline | ★★ | |
 |
2023-03-07 11:00:00 | An assessment of ransomware distribution on darknet markets (lien direct) | Ransomware is a form of malicious software (malware) that restricts access to computer files, systems, or networks until a ransom is paid. In essence, an offender creates or purchases ransomware, then uses it to infect the target system. Ransomware is distributed in several ways including, but not limited to, malicious website links, infected USB drives, and phishing emails. Once infected, the offender encrypts the device and demands payment for the decryption key. Figure 1 provides a simplistic overview of the ransomware timeline.
Figure 1. Ransomware timeline.
The earliest recorded case of ransomware was the AIDS Trojan, which was released in the late 1980s. Now, in 2023, ransomware is considered the greatest cybersecurity threat due to the frequency and severity of attacks. In 2021, the Internet Crimes Complaint Center received over 3,000 ransomware reports totaling $49.2 million in losses. These attacks are especially problematic from a national security perspective since hackers aggressively target critical infrastructure such as the healthcare industry, energy sector, and government institutions.
If ransomware has been around for over 40 years, why is it now increasing in popularity? We argue the increase in ransomware attacks can be attributed to the availability of ransomware sold on darknet markets.
Darknet markets
Darknet markets provide a platform for cyber-criminals to buy, sell, and trade illicit goods and services. In a study funded by the Department of Homeland Security, Howell and Maimon found darknet markets generate millions of dollars in revenue selling stolen data products including the malicious software used to infect devices and steal personal identifying information. The University of South Florida’s (USF) Cybercrime Interdisciplinary Behavioral Research (CIBR) sought to expand upon this research. To do this, we extracted cyber-intelligence from darknet markets to provide a threat assessment of ransomware distribution. This report presents an overview of the key findings and the corresponding implications.
Threat assessment
While drugs remain the hottest commodity on darknet markets, our threat intelligence team observed a rise in ransomware (and other hacking services).
The study was conducted from November 2022-February 2023. We began by searching Tor for darknet markets advertising illicit products. In total, we identified 50 active markets: this is more than all prior studies. We then searched for vendors advertising ransomware across these markets, identifying 41 vendors actively selling ransomware products. The number of markets and vendors highlight the availability of ransomware and ease of access. Interestingly, we find more markets than vendors. Ransomware vendors advertise their products on multiple illicit markets, which increases vendor revenue and market resiliency. If one market is taken offline (by law enforcement or hackers), customers can shop with the same vendor across multiple store fronts.
The 41 identified vendors advertised 98 unique ransomware products. This too shows the accessibility of various forms of ransomware readily available for purchase. We extracted the product description, price, and transaction information into a structured database file for analysis. In total, we identified 504 successful transactions (within a 4-month period) with prices ranging from $1-$470. On average, ransomware so |
Ransomware Threat Cloud | ★★ | |
 |
2023-03-07 10:30:45 | FBI and CISA issue joint warning on Royal Ransomware (lien direct) | >On March 6, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint warning to critical infrastructure groups worldwide regarding the dangers of Royal Ransomware. This state-sponsored hacking group has recently targeted high-profile healthcare organizations, including those in the United States, and has a particular interest in … | Ransomware | ★★ | |
|
2023-03-07 10:30:45 | CISA and FBI issue joint warning on Royal Ransomware (lien direct) | >On March 6, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint warning to critical infrastructure groups worldwide regarding the dangers of Royal Ransomware. This state-sponsored hacking group has recently targeted high-profile healthcare organizations, including those in the United States, and has a particular interest in … | Ransomware | ★★ | |
|
2023-03-07 10:13:52 | Ransomware Hits Major Barcelona Hospital, Appointments Canceled (lien direct) | Authorities in Barcelona revealed on Monday that thousands of appointments had to be canceled due to a ransomware attack on the city’s primary hospital. After a Saturday attack on the Hospital Clinic de Barcelona, all of the facility’s laboratories, clinics, and emergency room computers were shut down. On Monday, its website was not accessible. Because […] | Ransomware | ★★★ | |
 |
2023-03-07 09:45:26 | Ransomware : la police lance l\'offensive contre les pirates de DoppelPaymer (lien direct) |  Les hackers derrière le ransomware DoppelPaymer sont dans le collimateur d'Europol. Une opération coup de poing, menée en Allemagne et en Ukraine, a permis de mettre la main sur du matériel appartenant aux pirates. |
Ransomware | ★★★ | |
 |
2023-03-06 21:45:08 | DoppelPaymer ransomware suspects cuffed, alleged ringleaders escape (lien direct) | Millions extorted from victims, one attack left hospital patient dead German and Ukrainian cops have arrested suspected members of the DoppelPaymer ransomware crew and issued warrants for three other "masterminds" behind the global operation that extorted tens of millions of dollars and may have led to the death of a hospital patient.… | Ransomware | ★★ | |
|
2023-03-06 19:25:00 | Police Raid Rounds Up Core Members of DoppelPaymer Ransomware Gang (lien direct) | This is the latest in a line of law-enforcement actions busting up the ransomware scene. | Ransomware | ★ | |
 |
2023-03-06 18:59:21 | Cyberattack Hits Major Hospital in Spanish City of Barcelona (lien direct) | >A ransomware attack on one of Barcelona' s main hospitals has crippled the center's computer system and forced the cancellation of non-urgent operations and patient checkups. | Ransomware | ★★ | |
|
2023-03-06 17:43:00 | Core Members of DoppelPaymer Ransomware Gang Targeted in Germany and Ukraine (lien direct) | Law enforcement authorities from Germany and Ukraine have targeted suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware. The operation, which took place on February 28, 2023, was carried out with support from the Dutch National Police (Politie) and the U.S. Federal Bureau of Investigation (FBI), according to Europol. This encompassed | Ransomware | ★ | |
|
2023-03-06 16:30:00 | DoppelPaymer Ransomware Gang Members Busted in Germany, Ukraine (lien direct) | Police also seized electronic equipment and are currently performing forensic examinations | Ransomware | ★ | |
 |
2023-03-06 16:26:36 | European raid targeted notorious ransomware gang DoppelPaymer (lien direct) | >The DoppelPaymer ransomware gang is considered one of the world's most dangerous after it was linked to the death at a hospital in Germany. | Ransomware | ★★ | |
|
2023-03-06 14:03:00 | Vice Society ransomware group claims German university as latest victim (lien direct) |
The Vice Society ransomware group added the Hamburg University of Applied Sciences (HAW Hamburg) to its leak site this weekend following an attack that the institution said took place late last year.
HAW Hamburg is one of several German-speaking institutions with a focus on applied sciences to be targeted by ransomware gangs in recent months.
In [a statement](https://www.haw-hamburg.de/fileadmin/PK/PDF/Infos_Art._34_DS-GVO_final.pdf) sent to all employees and students, the university said the attack was on December 29, describing a ransomware incident without using the term itself. The school has about 16,000 students.
“The attackers worked their way manually from decentralized IT systems via the network to the central IT and security components of HAW Hamburg. They also gained administrative rights to the central storage systems via this attack path and thus compromised the central data storage,” the statement explained.
“With the administrative rights obtained, the encryption of various virtualized platforms and the deletion of saved backups were finally started,” it added.
The university warned that “significant amounts of data from various areas” were copied, including usernames and “cryptographically secured” passwords, email addresses and mobile phone numbers.
Despite describing the compromised passwords as “cryptographically secured” the IT team recommended that students and staff change their passwords “for all internal university applications,” adding “in particular, change your password for Microsoft Teams and avoid using passwords that you have already used before.”
The university said it had to rebuild its IT systems, including the existing Microsoft cloud environment, and was “trying to restore a backup of the email data from the old mail server as of December 14.”
Following the attack, HAW Hamburg's IT security said it had “received several reports from students about attempts to log on to Internet portals such as Amazon and eBay by unauthorized third parties.”
“After reviewing all previous reports, and taking into account the attacker group's previous approach, it can be ruled out that the login attempts are related to the security incident at HAW Hamburg or the attacker group,” the team added.
Back in January the Vice Society ransomware group [claimed responsibility](https://therecord.media/vice-society-ransomware-gang-claims-attack-on-one-of-germanys-largest-universities/) for a November attack against the University of Duisburg-Essen in Germany.
Then in February the University of Zurich, Switzerland's largest university, announced it was the target of a “serious cyberattack,” which a spokesperson described to The Record as “part of a current accumulation of attacks on educational and health institutions.”
The week before, the [Harz University of Applied Sciences](https://www.n-tv.de/regionales/sachsen-anhalt/Hochschule-Harz-nach-digitalem-Angriff-offline-article23885755.html) in Saxony-Anhalt, [Ruhr West University](https://www.hochschule-ruhr-west.de/hrwoffline/), and the [EU/FH European University of Applied Sciences](https://www.eufh.de/hochschule/pressemitteilung) all announced being impacted by cyberattacks.
|
Ransomware Guideline Cloud | ★★ | |
|
2023-03-06 14:02:00 | Thousands of appointments canceled after ransomware hits major Barcelona hospital (lien direct) |
A ransomware attack on the city of Barcelona's main hospital has forced thousands of appointments to be canceled, officials announced Monday.
The Hospital Clinic de Barcelona was attacked Saturday, with computers across the institutions' numerous laboratories, clinics and emergency room shut down. Its website was unavailable on Monday.
Officials said that 150 non-urgent operations were canceled on Monday alongside up to 3,000 patient checkups, including radiotherapy visits, because staff can't access patients' clinical records, reported the [El País newspaper](link).
The Ransom House gang - which lists semiconductor company AMD as a previous victim, claiming to have sold data stolen by its "partners" - was responsible for the attack, according to the regional Catalonian Cybersecurity Agency. The gang itself claims on its leak site to “have nothing to do with any breaches” and doesn't “produce or use any ransomware.” It describes itself as a “professional mediators community.”
Segi Marcén, telecommunications secretary for the regional Catalonia government, said that no extortion demand had yet been received but that the hospital would not be making a ransom payment even if one was.
“We will not pay a cent,” Marcén said. Ransomware gangs typically threaten to release stolen data publicly if an extortion payment doesn't come by a certain deadline. As of Monday, nothing from the hospital was on Ransom House's leak site.
Marcén added that the regional government was “focusing on recovering the information” impacted by the attack, although it was not yet clear whether the hospital's data backups were also compromised, El País reported.
Staff at the hospital have been forced to write on paper and do not have access to electronic patient data-sharing systems. The facility's press department announced that urgent cases are being diverted to other hospitals.
“We can't make any prediction as to when the system will be back up to normal,” the hospital's director, Antoni Castells, told journalists, adding that there was a contingency plan to keep services functioning for several days although he hoped the system would be fixed sooner.
Tomàs Roy, the general director of the Catalan Cybersecurity Agency, said the attackers “have used new attack techniques,” but didn't specify what they were.
Recovering from the attack will be “gradual,” reported El País, as IT staff will need to ensure that systems aren't restored while the attackers maintain some access to the system. |
Ransomware | ★★ | |
|
2023-03-06 14:01:00 | Ransomware gang posts breast cancer patients\' clinical photographs (lien direct) |
The ALPHV ransomware group, also known as BlackCat, is attempting to extort a healthcare network in Pennsylvania by publishing photographs of breast cancer patients.
These clinical images, used by Lehigh Valley Health Network as part of radiotherapy to tackle malignant cells, were described as “nude photos” on the criminals' site.
Lehigh Valley Health Network disclosed on February 20 that it had been attacked by the BlackCat gang, which it described as linked to Russia, and stated that it would not pay a ransom.
“Based on our initial analysis, the attack was on the network supporting one physician practice located in Lackawanna County. We take this very seriously and protecting the data security and privacy of our patients, physicians and staff is critical,” said the network's president and chief executive, Brian Nester.
Nester added that the incident involved “a computer system used for clinically appropriate patient images for radiation oncology treatment and other sensitive information.”
At the time of the original statement, Nester said Lehigh Valley Health Network's services - including a cancer institute and a children's hospital - were not affected.
However the network's website is currently inaccessible. The Record was unable to contact the network for further comment following its listing on the ALPHV [.onion](https://en.wikipedia.org/wiki/Tor_(network)) website.
Onlookers have been revolted by the attempt to leverage the sensitivities around cancer treatment and intimate images to extort the organization.
Max Smeets, an academic at ETH Zurich - a public research university - and the director of the European Cyber Conflict Research Initiative, [wrote](https://twitter.com/Maxwsmeets/status/1632654116320075776): “This makes me so angry. I hope these barbarians will be held accountable for their heinous actions.”
"A new low. This is sickening," [wrote](https://twitter.com/rj_chap/status/1632465294580133888) malware analyst Ryan Chapman, while Nicholas Carroll, a cybersecurity professional, [said](https://twitter.com/sloppy_bear/status/1632468646873165824) the gang was “trying to set new standards in despicable.”
ALPHV itself celebrated the attack and the attention it brought.
“Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business. Your time is running out. We are ready to unleash our full power on you!”
Numerous healthcare organizations have been attacked by ransomware gangs in recent months. The criminal industry persists because of victims who pay, sometimes because their businesses face an existential threat, and sometimes to avoid the negative publicity.
Medibank, one of Australia's largest health insurance providers, stated last November that it would not be making a [ransom payment](https://therecord.media/medibank-says-it-will-not-pay-ransom-in-hack-that-impacted-9-7-million-customers/) after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad.
The information included sensitive healthcare claims data for around 480,000 individuals, including information about drug addiction treatments and abortions. Outrage at the attack prompted the government to [consider banning](https://therecord.media/australia-to-consider-banning-ransomware-payments/) ransomware payments in a bid to undermine the industry.
Back in January, the hospital technology giant [NextGen Healthcare](https://therecord.media/electronic-health-record-giant-nextgen-dealing-with-cyberattack/) said it was responding to a cyberattack after ALPHV added the company to its list of victims. |
Ransomware Malware | ★★★ | |
|
2023-03-06 12:47:25 | Ransomware Operators Leak Data Allegedly Stolen From City of Oakland (lien direct) | Play ransomware operators have leaked data allegedly stolen from the City of Oakland last month. | Ransomware | ★★ | |
|
2023-03-06 10:30:00 | City of Oakland Faces Major Data Leak (lien direct) | Information was stolen during recent ransomware attack | Ransomware | ★★ | |
 |
2023-03-06 10:10:00 | Ransomware Roundup – Sirattacker and ALC Ransomware (lien direct) | In this week's Ransomware Roundup, FortiGuardLabs covers Sirattacker and ALC ransomware along with protection recommendations. Learn more: | Ransomware | ★★ | |
|
2023-03-06 03:01:08 | Where are the women in cyber security? On the dark side, study suggests (lien direct) | Also, Royal ransomware metastasizes to other critical sectors, and this week's critical vulnerabilities In Brief If you can't join them, then you may as well try to beat them – at least if you're a talented security engineer looking for a job and you happen to be a woman. … | Ransomware | ★★★ | |
|
2023-03-04 15:47:41 | Ransomware gang leaks data stolen from City of Oakland (lien direct) | The Play ransomware gang has begun to leak data from the City of Oakland, California, that was stolen in a recent cyberattack. [...] | Ransomware | ★★ | |
|
2023-03-04 13:00:00 | A year of wipers: How the Kremlin-backed Sandworm has attacked Ukraine during the war (lien direct) |  Last November, several Ukrainian organizations were targeted by a new type of ransomware called RansomBoggs. Its operators sent infected computers a ransom note written on behalf of James P. Sullivan - the main protagonist of the animated film Monsters, Inc. In the note Sullivan, whose job in the movie was to scare kids, asked for [… |
Ransomware | ★★★ | |
|
2023-03-03 20:30:46 | Indigo Books Refuses LockBit Ransomware Demand (lien direct) | Canada's largest bookseller rejected the pressure of the ransomware gang's countdown timer, despite data threats. | Ransomware | ★★ |
To see everything:
Our RSS (filtrered)
