What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-09-16 09:08:00 | (Déjà vu) Ransomware Roundup: Ragnar Locker Ransomware (lien direct) | The latest edition of the Ransomware Roundup from FortiGuard Labs covers the Ragnar Locker ransomware. Read to learn more about protections. | Ransomware | ||
 |
2022-09-15 15:10:55 | Hive ransomware claims cyberattack on Bell Canada subsidiary (lien direct) | The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS). [...] | Ransomware | ||
 |
2022-09-15 12:53:53 | Ransomware Group Have Threatened To Leak Over 1m Medical Records (lien direct) | Following news that the Daixin Team ransomware group has threatened to leak over 1 million medical records (https://www.theregister.com/2022/09/14/ransomware_medical_groups/), cyber security experts reacted below. | Ransomware | ||
 |
2022-09-15 12:19:00 | U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks (lien direct) | The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked | Ransomware | ||
 |
2022-09-15 05:20:00 | US government indicts Iranian nationals for ransomware and other cybercrimes (lien direct) | The US Department of Justice (DOJ) unsealed an indictment that charged three Iranian cybercriminals with orchestrating a series of attacks from October 2020 to the present, that resulted in the three being able to access the computer networks of multiple US entities. The three, Mansour Ahmadi, a.k.a. Mansur Ahmadi, 34; Ahmad Khatibi Aghda, a.k.a. Ahmad Khatibi, 45; and Amir Hossein Nickaein Ravari, a.k.a. Amir Hossein Nikaeen, a.k.a. Amir Hossein Nickaein, a.k.a. Amir Nikayin, 30, not only attacked hundreds of victims in the United States, but also entities in Israel, the United Kingdom, Russia, and Iran itself.To read this article in full, please click here | Ransomware | ||
 |
2022-09-15 00:00:00 | Change in Magniber Ransomware (*.cpl → *.jse) – September 8th (lien direct) | After Magniber changed its method of distribution from an MSI format to a CPL format on July 20th, it has been monitored to show decreased distribution activity as of mid-August. While continuously monitoring for changes, the ASEC analysis team found that the distribution format of Magniber has changed from *.CPL (DLL type) to *.JSE (script) format starting from September 8th, 2022. As Magniber is one of the most damaging ransomware to Korean users and is employing various methods to bypass... | Ransomware | ||
 |
2022-09-14 20:38:23 | U.S. government takes sweeping action against Iranian hackers accused of ransomware spree (lien direct) | >The action from multiple U.S. departments is against 10 Iranians and two Iranian companies related to a spree of breaches and cyberattacks. | Ransomware | ★★★ | |
|
2022-09-14 19:34:00 | Lorenz Ransomware Exploit Mitel VoIP Systems to Breach Business Networks (lien direct) | The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," researchers from cybersecurity firm Arctic Wolf said in a report | Ransomware | ||
|
2022-09-14 12:58:10 | Canadian Solar Has Been Hacked By LockBit 3.0 Ransomware (lien direct) | It has been reported that Canadian Solar, the manufacturer of solar PV modules, has claimed to be hacked by a ransomware known as LockBit 3.0 ransomware. The hackers have claimed a ransom amount from the company and have given a deadline to pay the amount till 13 September 2022. For extending the leak to the […] | Ransomware | ||
|
2022-09-14 12:46:49 | COMMENT: Biggest US Healthcare Ransomware Attack In 2022 (lien direct) | It has been reported that two recent ransomware attacks against healthcare systems indicate cybercriminals continue to put medical clinics and hospitals firmly in their crosshairs. Daixin Team has taken credit for a September 1 assault on Texas-based OakBend Medical Center, causing a shutdown of the organization’s communication and IT systems as well as exfiltrating internal […] | Ransomware | ||
 |
2022-09-14 00:57:37 | Ransomware gang threatens 1m-plus medical record leak (lien direct) | Criminals continue to target some of the most vulnerable Two recent ransomware attacks against healthcare systems indicate cybercriminals continue to put medical clinics and hospitals firmly in their crosshairs.… | Ransomware | ||
|
2022-09-14 00:30:00 | (Déjà vu) ASEC Weekly Malware Statistics (August 29th, 2022 – September 4th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from August 29th, 2022 (Monday) to September 4th, 2022 (Sunday). For the main category, info-stealer ranked top with 45.9%, followed by downloader with 28.1%, backdoor with 18.5%, ransomware with 6.2%, and CoinMiner and banking malware with 0.7% each. Top 1 – GuLoader GuLoader, which ranked first place with 22.6%, is a downloader malware that... | Ransomware Malware | ||
 |
2022-09-13 19:38:25 | Ransomware Will Strike Every 2 Seconds By 2031 (lien direct) | >Gangs, strains, and statistics CISOs and cybersecurity teams should know – Steve Morgan Sausalito, Calif. – Sep. 13, 2022 Cybersecurity Ventures predicts that by 2031, ransomware will cost victims $265 billion annually, and it will attack a business, consumer, or device every 2 seconds. Chief | Ransomware | ||
 |
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
 |
2022-09-13 14:13:03 | Lorenz Ransomware Goes After SMBs via Mitel VoIP Phone Systems (lien direct) | The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks. | Ransomware | ||
|
2022-09-13 12:50:50 | Comment: New Approach To Ransomware Encryption Threatens To Undermine Cyber Security Strategies (lien direct) | Following the news that: New approach to ransomware encryption threatens to undermine cyber security strategies New approach to ransomware encryption threatens to undermine cyber security strategies | IT PRO | Ransomware | ||
 |
2022-09-13 10:15:39 | Spyware, Ransomware, Cryptojacking Malware Increasingly Detected on ICS Devices (lien direct) | Spyware, ransomware and cryptojacking malware have been increasingly detected on industrial control system (ICS) computers, according to data collected in the first half of 2022 by cybersecurity firm Kaspersky. | Ransomware Malware | ||
 |
2022-09-13 10:00:00 | Credential theft food chain-What is Ransomware-as-a-Service (lien direct) | This blog was written by an independent guest blogger. Anyone who has watched the Lockpicking Lawyer realizes that certain locks promoted as the latest-and-greatest aren’t necessarily the most reliable devices for securing physical assets. Like many other security professionals, he seeks to educate consumers and manufacturers on defects in devices and how to improve their security. It reminds me of a quote by Deviant Ollam (security auditor and penetration testing consultant): "Security is achieved through openness. Take things apart and play with them... exposing bad security is what protects us all." This preemptive step of testing security is vital because, while the defenders are actively finding security holes, so are criminals. Criminals – in this current context, cybercriminals – are looking to do all kinds of disruptive or destructive activities, whether it’s a straightforward denial of service attack on one end of the spectrum to a full-scale attempt to take down a government or critical infrastructure by whatever means possible on the other. These threat actors start by stealing credentials, focusing on those that give access to servers and other corporate assets, though individual non-admin accounts are not out of their sight. What sets them apart from many other thieves is that they don’t use the credentials themselves to gain entry. Either the credential thieves are Initial Access Brokers (IABs), or they sell these credentials sets to IABs, who turn around and sell these to customers and affiliates who are organized underground (aka Dark Web) threat actors. While it is not necessarily simple or straightforward, this is the entry point for the topic at hand: Ransomware-as-a-Service. What is Ransomware as a Service (RaaS)? Ransomware as a Service (RaaS) is Conti attacking numerous healthcare, first responder, and law enforcement agencies in early 2021. RaaS is Lockbit 2.0 attacking a Bulgarian refugee agency. RaaS is REvil abusing Kaseya Virtual Systems Administrator (VSA) to attack Managed Security Service Providers. RaaS, though illegal, is a valid and highly efficient business model, similar to the Software-as-a-Service (SaaS) model. Ransomware operators create ransomware attacks, then customers, or affiliates, can buy those services and launch the attacks. RaaS syndicates may offer different tiers of services, including technical support, bundles, and community forums. How the RaaS model operates Because it is a business model, the success of affiliates plays a part in the sales strategy. The better affiliates perform, the better chance they have of being noticed by other groups for future sales and engagement opportunities. One aspect of attempting to increase market performance is Big Game Hunting (BGH). In scoping out ransomware victims, one target has been large organizations whose industries include Healthcare, Manufacturing, Managed Services, Media, and Government agencies. While BGH seems intuitive (low effort, enormous payoff), there has been a decrease in its activity recently. This drop-off is most likely due to US authorities focusing on protecting those industries and successfully combatting ransomware | Ransomware Threat | ★★★★★ | |
 |
2022-09-13 08:45:00 | Researchers Warn of 674% Surge in Deadbolt Ransomware (lien direct) | Malware continues to infect QNAP devices | Ransomware Malware | ||
|
2022-09-13 07:30:11 | Cisco: Yes, Yanluowang leaked our data. No, it\'s not serious (lien direct) | Everything's fine! The Yanluowang ransomware group behind the May attack on Cisco Systems has publicly leaked the stolen files on the dark web over the weekend, but the networking giant says there's nothing to worry about.… | Ransomware | ||
|
2022-09-13 07:13:00 | BrandPost: How to Stop Ransomware (lien direct) | Security Service Edge (SSE) is a relatively new category. Depending on how you look at it, it's either a consolidation of three existing security categories - Secure Web Gateway (SWG), Zero Trust Network Architecture (ZTNA), and Cloud Access Security Broker (CASB) - or, it's a deconstruction of SASE that separates security capabilities from network plumbing.Either way, SSE is not just an arbitrary addition to the security industry's alphabet soup: it's a highly relevant evolution of enterprise security that recognizes what organizations need to protect their distributed users, applications, and workloads against today's ever-evolving threats.To read this article in full, please click here | Ransomware | ||
|
2022-09-13 02:00:00 | U.S. government offensive cybersecurity actions tied to defensive demands (lien direct) | Offensive cyber operations are best known as acts of digital harm, mainly in the context of cyber “warfare,” with nation-states, particularly intelligence organizations, serving as the primary actors. But, as experts and officials speaking at the Billington Cybersecurity Summit this year attest, “offensive cyber” is also a term increasingly applied to the growing use of digital tools and methods deployed by various arms of the federal government, often in partnership with private sector parties, to snuff out threats or help victims of ransomware actors proactively.To read this article in full, please click here | Ransomware | ||
|
2022-09-12 19:05:42 | Cisco Data Breach Attributed to Lapsus$ Ransomware Group (lien direct) | Analysis shows attackers breached employee credentials with voice phishing and were preparing a ransomware attack against Cisco Systems. | Ransomware Data Breach | ||
|
2022-09-12 13:43:46 | The La School District Cyber Attack Keeps Unravelling – Expert Comments (lien direct) | If you are still writing on this news: Jeremy Kirk, the editor over at ISMG reported on Twitter last night that the Vice society was claiming responsibility for the LA School District cyberattack. The Vice Society is a “double extortion” ransomware group, meaning they encrypt the data and also threaten to publish it. https://bit.ly/3LaYiIf | Ransomware | ||
|
2022-09-12 12:00:00 | Lorenz ransomware breaches corporate network via phone systems (lien direct) | The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises using their phone systems for initial access to their corporate networks. [...] | Ransomware Vulnerability | ||
 |
2022-09-12 08:57:15 | (Déjà vu) Cisco confirms that data leaked by the Yanluowang ransomware gang were stolen from its systems (lien direct) | >Cisco confirmed the May attack and that the data leaked by the Yanluowang ransomware group was stolen from its systems. In August, Cisco disclosed a security breach, the Yanluowang ransomware gang breached its corporate network in late May and stole internal data. The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed […] | Ransomware | ||
|
2022-09-12 05:44:00 | CISA launches incident, ransomware reporting rulemaking RFI (lien direct) | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its request for information (RFI) on upcoming reporting requirements that will mandate organizations report significant cybersecurity incidents within 72 hours and ransomware payments 24 hours after payments are made. The RFI follows the March passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires CISA to pursue a regulatory rulemaking path for collecting the incident and ransomware payment data.To read this article in full, please click here | Ransomware | ||
|
2022-09-11 08:30:00 | Over Three-Quarters of Retailers Hit by Ransomware in 2021 (lien direct) | Figure is more than 10% higher than cross-sector average | Ransomware | ||
 |
2022-09-10 13:00:00 | Hackers Target Los Angeles School District With Ransomware (lien direct) | Plus: Albania cuts ties with Iran, claims of a TikTok data breach that didn't happen, and much more. | Ransomware Data Breach | ||
|
2022-09-09 19:00:00 | Monti, the New Conti: Ransomware Gang Uses Recycled Code (lien direct) | A new group, Monti, appears to have used leaked Conti code, TTPs, and infrastructure approaches to launch its own ransomware campaign. | Ransomware | ||
|
2022-09-09 14:22:58 | LockBit, ALPHV & Other Ransomware Gang Leak Sites Hit by DDoS Attacks (lien direct) | A sweeping effort to prevent a raft of targeted cybercrime groups from posting ransomware victims' data publicly is hampering their operations, causing outages. | Ransomware | ||
|
2022-09-09 08:57:47 | Iran-linked DEV-0270 group abuses BitLocker to encrypt victims\' devices (lien direct) | Iran-linked APT group DEV-0270 (aka Nemesis Kitten) is abusing the BitLocker Windows feature to encrypt victims’ devices. Microsoft Security Threat Intelligence researchers reported that Iran-linked APT group DEV-0270 (Nemesis Kitten) has been abusing the BitLocker Windows feature to encrypt victims’ devices. The researchers tracked multiple ransomware attacks conducted by the DEV-0270 group, which is a […] | Ransomware Threat | ||
|
2022-09-08 19:21:11 | New Conti Ransomware Campaign Observed in the Wild (lien direct) | FortiGuard Labs has observed a new wave of ransomware threats belonging to the Conti malware family, active in Mexico. These variants appear to target the latest Linux and ESX systems and enable the attacker to encrypt files on the victim's machine and guest virtual machines. The variants are all dynamically linked 64-bit ELF samples written in C.A similar sample to the ones in this campaign was documented previously by Trellix.Why is this Significant?This is significant because the newly observed campaign was launched by the Conti ransomware group who are known for taking encrypted files and stolen information belonging to countless companies from varying sectors hostage for profits. The group announced it plans to retaliate against western targets after the Russian invasion into Ukraine adding a political motivation on top of financial gain.This new campaign seems to be similar to the previous campaigns however, some of the samples involved have much lower detection rates at the time of this writing.What Does the Malware Do?Conti ransomware variants used in the new campaign performs activities identical to the previous ones; it encrypts files on the compromised machine and adds a ".conti" file extension to them after the threat actor exfiltrates information from victim's network. It will then demand a ransom payment from the victim in order to recover the affected files and to prevent stolen information from being released to the public.It leaves a ransom note that reads:All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it".As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly.DONT'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value.DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publich it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.DON'T TRY TO CONTACT feds or any recovery companies.We have our informants in these as a hostile intent and initiate the publication of whole compromised data immediatly.To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first https://torproject.org)http://[Removed].onion/-YOU SHOULD BE AWAREWe will speak only with an authorized person. It can be the CEO, top management, etc.In case you are not such a person - DON'T CONTACT USYour decisions and action can result in serious harm to your companyInform your supervisors and stay calmThe malware can also be run on ESX environments and has the ability to shut down and encrypt the associated virtual machines.The malware has a detailed helper dialog. This provides another indication for the fact Conti group consists of many people.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for the Conti ransomware samples observed in the new campaign:Linux/Filecoder_Conti.083E!tr.ransomLinux/Filecoder_Conti.0B97!tr.ransomLinux/Filecoder_Conti.14E3!tr.ransomLinux/Filecoder_Conti.3233!tr.ransomLinux/Filecoder_Conti.3691!tr.ransomLinux/Filecoder_Conti.3FA2!tr.ransomLinux/Filecoder_Conti.5DE1!tr.ransomLinux/Filecoder_Conti.638B!tr.ransomLinux/Filecoder_Conti.65AB!tr.ransomLinux/Filecoder_Conti.919D!tr.ransomLinux/Filecoder_Conti.BDC5!tr.ransomLinux/Filecoder_Conti.C2F5!tr.ransomLinux/Filecoder_Conti.C3D1!tr.ransomLinux/Filecoder_Babyk.H!trPossibleThreatFortiEDR blocks the Conti samples pre-execution. | Ransomware Malware Threat | ||
 |
2022-09-08 17:10:42 | The cyberattack with the most negative impact to patient care: ransomware (lien direct) | Pas de details / No more details | Ransomware | ||
|
2022-09-08 14:39:48 | Former Conti Ransomware Members Join Initial Access Broker Group Targeting Ukraine (lien direct) | The initial access broker (IAB) for ransomware gangs known as UAC-0098 has targeted Ukrainian organizations in five separate phishing campaigns spanning April to August. | Ransomware | ||
|
2022-09-08 14:00:00 | Everything You Need To Know About BlackCat (AlphaV) (lien direct) | A relative newcomer to the ransomware scene, the BlackCat group quickly gained notoriety and may be associated with other APT groups like Conti and DarkSide. | Ransomware | ★★ | |
 |
2022-09-08 13:49:29 | Warning issued about Vice Society ransomware gang after attacks on schools (lien direct) | A ransomware gang that has been increasingly disproportionately targeting the education sector is the subject of a joint warning issued by the FBI, CISA, and MS-ISAC. Read more in my article on the Tripwire State of Security blog. | Ransomware | ||
 |
2022-09-08 13:29:52 | Tendances CrimeWare |Les développeurs de ransomwares se tournent vers un cryptage intermittent pour échapper à la détection Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection (lien direct) |
Les fichiers en partie en cryptage des victimes améliorent la vitesse des ransomwares et facilitent l'évasion.Vu pour la première fois dans LockFile, la technique est désormais largement adoptée.
Partially encrypting victims\' files improves ransomware speed and aids evasion. First seen in LockFile, the technique is now being widely adopted. |
Ransomware | ★★★★ | |
 |
2022-09-08 13:00:00 | Ransomware Attacks in Small and Medium-Sized Organizations and Manufacturing Are On the Rise (lien direct) | >Dragos OT-CERT offers free resources to small and medium-sized organizations that lack OT cybersecurity expertise. Data regarding recent ransomware attacks... The post Ransomware Attacks in Small and Medium-Sized Organizations and Manufacturing Are On the Rise first appeared on Dragos. | Ransomware | ||
 |
2022-09-08 12:00:00 | Ransomware review: August 2022 (lien direct) | >Categories: Threat IntelligenceLockBit remained the dominant ransomware variant in August, as it has all year. At the other end of the scale REvil's revival in slow motion continued with a single victim listed. (Read more...) | Ransomware | ||
|
2022-09-08 11:08:00 | Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (lien direct) | Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and | Ransomware Threat Conference | APT 35 | |
|
2022-09-08 11:02:00 | Ransomware attacks on retailers rose 75% in 2021 (lien direct) | Retailers are fast becoming the favorite targets for ransomware criminals, with two out of three companies in the sector being attacked last year, according to a new report from cybersecurity firm Sophos. Attackers were able to successfully encrypt files in more than half of the attacks.Of 422 retail IT professionals surveyed internationally, 77% said their organizations were hit by ransomware attacks in 2021. This is a 75% rise from 2020, the Sophos report noted.“Retailers continue to suffer one of the highest rates of ransomware attacks of any industry. With more than three in four suffering an attack in 2021, it certainly brings a ransomware incident into the category of when, not if,” said Chester Wisniewski, principal research scientist at Sophos, in a statement accompanying the report. To read this article in full, please click here | Ransomware | ||
|
2022-09-08 09:10:20 | Ex-members of the Conti ransomware gang target Ukraine (lien direct) | >Some members of the Conti ransomware gang were involved in financially motivated attacks targeting Ukraine from April to August 2022. Researchers from Google’s Threat Analysis Group (TAG) reported that some former members of the Conti cybercrime group were involved in five different campaigns targeting Ukraine between April and August 2022. The activities overlap with operations […] | Ransomware Threat | ||
|
2022-09-08 09:00:00 | Health care IT workers report increased cyberattacks affecting patient care (lien direct) | >More than half of the respondents to a health care cybersecurity survey say their organizations suffered a ransomware attack in the past year. | Ransomware | ||
 |
2022-09-08 03:01:00 | How Penetration Testing can help prevent Ransomware Attacks (lien direct) | >It is hard to believe, but ransomware is more than three decades old. While many would think that the ransomware mayhem started with the WannaCry attack of 2017, that is simply the most publicized example. Since then, dozens of ransomware strains have been utilized in a variety of cyberattacks. According to a PhishLabs report, by […]… Read More | Ransomware | Wannacry Wannacry | |
|
2022-09-07 23:23:10 | Joint CyberSecurity Advisory on Vice Society (AA22-249A) (lien direct) | On September 6th, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Vice Society ransomware group that has been active since the middle of 2021 and targets multiple industry sectors including education, healthcare, and government. The threat actor uses double extortion tactics, which victims are threatened for permanently losing encrypted files and leaking stolen data to the public should ransom payment is not made.Why is this Significant?This is significant because alleged Vice Society victims listed on the data leak site includes organizations in education, healthcare, and government sector, which are often exempted by other major ransomware groups. Of the last ten victims (as of September 7, 2022), more than half of them are in education and healthcare sectors.Once the threat actor sets foot into the victim's network, it laterally moves around the network, exfiltrates valuable information, and deploys ransomware which encrypts files on the compromised machine. The stolen data will be made available to the public, which may cause damage to the reputation of the affected companies.What is Vice Society Ransomware Group?Vice Society is a ransomware group that has been active since at least the middle of 2021 and targets both Windows and Linux systems. What's unique about this ransomware group is that it deploys third-party ransomware to its victims instead of developing its own ransomware. Such ransomware reportedly includes HelloKitty, FiveHands and Zeppelin ransomware.Below is a typical ransom note left behind by the Vice Society threat actor:As the ransom note states, deployed ransomware encrypts files on the compromised machines. Before the ransomware was pushed by the threat actor, it propagates through the victim's network using tools such as SystemBC, PowerShell Empire, and Cobalt Strike, and exfiltrate confidential information. The ransom note also provides a few contact email addresses. The threat actor puts additional pressure onto the victim by stating that stolen information will be released to the public if the victim does not email the attacker within seven days. The threat actor operates its own leak site where the threat actor lists victims and releases stolen data. The alleged victims are in many countries around the globe that include but not restricted to Argentina, Australia, Australia, Beirut, Brazil, Canada, Columbia, France, French Guiana, Germany, Greece, Indonesia, India, Italy, Kuwait, Malaysia, Netherland, New Zealand, Poland, Saudi Arabia, Singapore, Spain Sweden, Switzerland Thailand, and United Kingdom, United States.Top page of Vice Society leak siteA reported infection vector used by the Vice Society ransomware group is exploitation of vulnerabilities (CVE-2021-1675 and CVE-2021-34527) that affect Microsoft Windows Print Spooler. CVE-2021-34527 is also known as PrintNightmare, which FortiGuard Labs previously released Outbreak Alert and Threat Signal on. For more information PrintNightmare, see the Appendix for a link to "Microsoft PrintNightmare" and "#PrintNightmare Zero Day Remote Code Execution Vulnerability".Microsoft released a patch for CVE-2021-1675 and CVE-2021-34527 in June and July 2021 respectively.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures against known ransomware samples used by Vice Society threat actor:W32/Buran.H!tr.ransomW32/Filecoder.OJI!trELF/Filecoder.8BB5!tr.ransomW32/Generic.AC.171!trFortiGuard Labs has the following IPS coverage in place for the "PrintNightmare" vulnerability (CVE-2021-34527) as well as CVE-2021-1675:MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.EscalationAll network IOCs are blocked by the WebFiltering client. | Ransomware Vulnerability Threat | ||
|
2022-09-07 19:30:50 | Holiday Inn Owner InterContinental Has a Breach Trend (lien direct) | After a high-profile 2017 breach and a Holiday Inn ransomware hit earlier this year, IHG confirms that its booking channels and applications have been disrupted in yet another cyberattack. | Ransomware | ||
|
2022-09-07 17:00:00 | Fighting Ransomware Takes an Army: Our Public & Private Sector Soldiers Join Forces (lien direct) | Continued collaboration will help win the fight as cybersecurity remains a national priority. International and public-private cooperation is helping stem the damage from ransomware threats and cyberattacks. | Ransomware | ||
|
2022-09-07 16:58:01 | Los Angeles School District – Hit By Cyberattack – Expert Comments (lien direct) | The Los Angeles Unified School District has confirmed that it was hit by a ransomware attack on its IT systems over the weekend. District officials described the incident as “likely criminal in nature,” and said they were assessing the situation with law enforcement agencies. The district initially confirmed on Twitter that this was in fact a ransomware […] | Ransomware | ||
|
2022-09-07 16:27:32 | Hackers Are Using NASA Telescope Images To Push Ransomware (lien direct) | According to Metro, One of the first images taken by Nasa's James Webb Telescope is being used by hackers in a phishing scam. A security analytics platform, Securonix, uncovered the new computer security threat that uses the James Webb Space Telescope's first public image to spread malware. The attack is called 'GO#WEBBFUSCATOR' and reportedly starts […] | Ransomware Threat |
To see everything:
Our RSS (filtrered)
