Rise of Ransomware Attacks Main Focus for SOCs, research finds

A new global study has looked into how SOC’s go about protecting organisations from threats, where they focus the most attention and what is driving modernisation plans.

Cybereason’s latest report Ransomware and the Modern SOC: How Ransomware is Driving the Requirements for SOC Modernization, surveyed 1,203 security professionals from eight countries and a dozen industries, and found more than 58% said their SOC spends most of its time responding to ransomware and supply chain attacks that often lead to ransomware incidents.

As a result, their modernization plans are now focused across four specific areas:

  • 38% — Plan to deploy new detection capabilities with better detection efficacy.
  • 31% — Need better visibility into the full attack story.
  • 31% — Are looking for ways to augment staffing and contract for managed services, and
  • 29% — Said ransomware has increased their need for better automation and faster response.

“In a post COVID world, the modern SOC needs to be a decentralized, capabilities-based organization that leverages industry-leading detection, prevention, visibility, and automation technologies, all of which are often augmented by managed services,” said Israel Barak CISO, Cybereason.

Travel and Transportation Industries Struggling

The study also revealed that almost a third (31%) stated the ransomware threat has exposed their need for better insight and visibility into the full attack story against their organisation. On average, 35 percent of respondents in the United States need better insight and visibility. In Italy, that number jumps to 46 percent. In the travel and transportation industry, more than 57 percent of respondents lack the proper level of threat attack visibility, followed by 39 percent of respondents in the retail, catering and leisure industries.

The post Rise of Ransomware Attacks Main Focus for SOCs, research finds appeared first on IT Security Guru.

UK second most targeted nation behind America for Ransomware

After closely monitoring the most active ransomware groups in 2022, the KrakenLabs team at Outpost24 are sharing their latest report that delves deep into the significant ransomware trends, threat groups, victim profiles, and motives behind these attacks from the past year. In total, the researchers identified 2,363 disclosed victims by various ransomware groups on Data Leak Sites (DLS) in 2022.

Key facts from the report include:

  • Most active ransomware groups: Existing entities like LockBit, BlackCat, Hive, and Karakurt have demonstrated exponential growth and have surpassed previous records despite the disappearance of prominent threat groups such as CONTI and the old REvil

The total of victims per ransomware group during the year 2022

The total of victims per ransomware group during the year 2022 (Top 10)
  • Most attacked countries: From the 101 different countries that registered victims, 42% of them are from the United States. The UK second on the list followed by Canada, Germany, and France. In fact, 28% of victims were from Europe.

Top 20 countries with the highest number of victims

Top 20 countries with the highest number of victims
  • Worst offender: Last year, the ransomware group known as LockBit exhibited a significantly higher level of activity compared to other groups. They were responsible for 34% of all recorded attacks in 2022.
  • Sector most at risk: While critical infrastructure sectors accounted for just over half of the attacks perpetrated (51%), construction was the most targeted sector overall.

Breakdown of non-Critical sectors

Breakdown of non-Critical sectors that were most at risk

“The recent clampdown of Hive, following REvil, is a positive sign for all however organizations must ensure they keep their guards up against this constant evolving threat by prioritising cyber hygiene through regular vulnerability assessment, security testing and combining detection with threat intelligence to surface risk signals that can help prevent infection,” said Alejandro Villanueva, Threat Intel Analyst at Outpost24 and author of the report.
Further analysis by Outpost24 also revealed time periods in which the tables were turned, and ransomware groups were under DDOS (distributed denial of service) attack. In week 35 of 2022 LockBit group claimed that they were being attacked as a consequence of leaking stolen data from Entrust, a cybersecurity company that was attacked previously by them. Outpost24 KrakenLabs detected that not just LockBit, but many other ransomware DLSs were suffering DDOS attacks during this period. It is likely the attackers were aiming to cause disruption for the ransomware groups during the extortion process.

Ransomware groups suffering from DDOS

Ransomware groups suffering from DDOS in the last week of August 2022

To view the full report, click here

The post UK second most targeted nation behind America for Ransomware appeared first on IT Security Guru.

Ransomware attack halts London trading

Ion Markets, a financial data group crucial to the financial plumbing underlying the derivatives trading industry, has fallen prey to the cybercrime group Lockbit

The company has revealed that 42 clients have been affected by the attack, which has caused major disruption in its cleared derivatives division. 

Reports suggest that some clients have been unable to contact Ion by phone since Tuesday, with some travelling to the company’s office at St Pauls to seek more information.

“The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing,” according to a post on Ion’s website. 

It’s understood that the incident has impacted other trade processing systems, even forcing some companies to process trades manually. 

Lockbit has been especially active recently, claiming responsibility for the attack on Royal Mail last month, which forced the company to suspend international postal deliveries. 

The cybercriminal group has reportedly used its’ signature ransomware, which encrypts files and issues a ransom note, typically demanding payment in cryptocurrency before the decryption key is provided.

Expert Insight: 

Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Centre:

Software is the critical infrastructure for all other critical infrastructure. The attack on the Ion Markets illustrates not only the interconnected nature of the financial system, but also a crucial dependence on software. 

Software is a powerful tool for productivity but must be managed properly. In particular, security must be a top priority in all phases of software, from its conception through to its deployment. This applies equally to builders and buyers. Builders must include security at every phase of their software development life cycle, using a combination of expert analysis and automated testing to flush out as many vulnerabilities as possible before software is put into production use. Buyers, similarly, should carefully evaluate the security practices of their vendors, then apply meticulous and repeatable processes for configuring, deploying, and operating the software they acquire. 

Every piece of software is, in essence, an incredibly complicated machine. To secure such a machine against attack, builders and buyers alike must examine the entire supply chain of infrastructure, tools, open source components, source code, and configurations in a ceaseless quest to locate and mitigate vulnerabilities. When an incident occurs, such as the Ion Markets attack, existing processes must be examined to understand what went wrong and how the processes can be improved to reduce risk in the future.”

Sam Curry, chief security officer at Cybereason:

“While specific details are scant at this time, with dozens of Ion’s customers potentially impacted by this latest shameless ransomware attack, you can’t just snap your fingers and restore disrupted services. Let me be clear that LockBit is a criminal organisation and their brazen attack raises their profile and spreads more fear, uncertainty and doubt across many industries. In time, we will learn if a ransom demand was issued and paid, or whether Ion refused to negotiate with this criminal organisation.

Organisations can’t pay their way out of ransomware, and those that do only embolden the criminals to launch future attacks. For Ion and other organisations that improve their network resiliency, the cyber criminals will quickly move onto softer targets because they are looking for the path of least resistance. Most gangs want to maintain a low profile and avoid being caught in the cross hairs of law enforcement agencies. In general, companies should prepare for ransomware attacks in peacetime and ensure redundancy in network connectivity and have mitigation strategies ready. Practise good security hygiene and regularly update and patch operating systems and other software. Also, conduct periodic table-top exercises and drills including people beyond the security team and all the way to the Executive Suite.”

Jamie Cameron, security consultant at Adarma:

“Money is the biggest motivator for cyber threat groups like Lockbit, who are becoming ever more sophisticated in their attacks, which is why financial organisations need to be hyper focused on building their cyber resilience. It’s important they are aware that Lockbit is currently in a state of flux, and that previous defences against Lockbit’s signature ransomware is no longer applicable. Lockbit is evolving and it’s vital that businesses update their defences accordingly. 

We’ve observed that Lockbit have been bringing in developers from the BlackMatter ransomware group to write a new version of their software (Lockbit Black), which is now free on the open market due to a leak from a disgruntled developer over a pay dispute. Most recently, Lockbit has had a developer, believed to be from the now defunct Conti group, write new malware, known as Lockbit Green or they’ve utilised the leaked toolset from the two prominent Conti leaks of last year to develop this new variant. 

Lockbit have been launching attacks using both the original version of their ransomware and Lockbit Black and we see no reason why they wouldn’t throw Lockbit Green into the mix. Organisations should be aware of this due to how prolific the group are.”

Ziv Dines, CTO, Cyber at Armis:

“The majority of organisations see PII, critical infrastructure and operational downtime as the most at risk in the event of a cyberwarfare attack, and Lockbit’s recent activity encompasses all three. It’s clear from attacks on critical services such as the Royal Mail and ION Group, a major supplier of services to the financial system, that criminals are gathering pace.

The affected company confirmed the incident has been contained to a specific environment, but the operational inefficiencies caused by having to switch to manual processes introduce a significant amount of risk in both the short and long term. Organisations should be on high alert, making sure they have oversight of their internal systems and any assets that may be connected to them in order to spot and remediate anomalies quickly.”

Jamie Akhtar, CEO and co-founder of CyberSmart: 

“This incident and its attribution demonstrate that we aren’t dealing with run-of-mill cybercriminals or threats. Instead, this looks like a calculated attack on the very infrastructure that supports the UK’s financial system. What’s more, it’s a signal that the ‘cyber cold war’ being conducted as part of the conflict in Ukraine has begun to heat up.

We’ve been seeing a pattern of escalation in these attacks over the past few months, so we urge all businesses, even SMEs, to be as vigilant as possible in updating and patching software, employing good cyber hygiene, and treating anything unusual with suspicion.”






The post Ransomware attack halts London trading appeared first on IT Security Guru.

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

With the proliferation of cyber attacks in all industries, organizations are beginning to grasp the growing significance of cyber risk and how this is an integral part of protecting and maintaining an efficient business. Ransomware is the single biggest cyber threat to global businesses; in fact, during the first half of 2022 alone, there were a total of 236.1 million cases of ransomware, which reflects the immense risk to which companies of all sizes are exposed. Digital transformation is only increasing the risk associated with cyber failures.

Typically, the expectation has been that chief information security officers (CISOs) are solely responsible for protecting the entire asset base and ensuring that all security needs are met. However, chief financial officers (CFOs) are just as vital to managing cyber risk, which is now inherently also business risk.

Given their visibility into every business unit, CFOs are assuming new strategic roles. As such, they are tasked with guiding the growth of their companies along with developing and maintaining the digital transformation and finance function. To do so efficiently and safely, however, they must be aware of where their cyber risk lies and how to manage it.

The distributed workforce and hybrid working model have contributed to the expansion of the threat landscape, and defenders still struggle to keep pace. For leaders to properly secure their businesses and have robust systems in place, they must include financial advisors and CFOs in conversations around ransomware and cybersecurity, or risk not being adequately prepared. This is because cybersecurity now touches all aspects of a business; the responsibility to protect the organization no longer solely lies with the security teams.

Using FAIR™ (Factor Analysis of Information Risk) the international model designed to measure information security and operational risk, information security teams can quantify cyber risk in financial terms. As a result, they can convey risk to business leaders in a way they will understand and that is impactful: in specific dollar amounts. In doing so, CISOs and CFOs can collaborate more effectively as they factor cyber risk into their budgets. They must ask themselves whether they are investing in the most cost-effective ways to reduce risk and better protect the organization as a whole.

How reporting has changed

Financial regulators, too, are beginning to take cybersecurity more seriously, viewing it as more of a strategic priority. In the U.S. particularly, the SEC recently proposed amendments to its original rules around cybersecurity risk management, in which the expectation is for companies to evaluate their existing cyber policies and procedures.

According to those guidelines, businesses would have four days to report material cyber incidents, must provide more in-depth company reports, and regularly file cyber risk reports. As the CFO is responsible for disclosures of material interest, it is vital they are aware of all regulatory standards with which they must comply, as well as the risk to which they have been exposed. Cybersecurity standards and reporting requirements vary from country to country, and, in the U.S., from state to state as they continue to evolve.

Part of the new regulations also call for organizations to outline how cybersecurity is part of their business strategy and financial plan, and what role their boards play in securing the company against cyber threats. CFOs, CISOs, security teams and C-suite executives will need to actively work together to not only adhere to the new rules but ensure their business is protected from significant threats such as ransomware and other data breaches.

The importance of the CFO

The CFO is vital to determining whether certain cybersecurity incidents will become material and affect the business more seriously. They must also report on financial analysis for cyber incidents to those responsible for review and remediation, such as IT teams and the board and C-suite executives. More importantly, CFOs play a vital role in disclosing any concerning risk management policies and any oversight of cybersecurity risk that is not accounted for in original budgets.

The CFO’s expertise and input are crucial in ensuring that the organization’s cybersecurity capabilities align with the overall business strategy. This is only truly possible if a business is quantifying its cyber risk by following a risk quantification model such as the FAIR standard. By placing a monetary value on the risk to which an organization is exposed, the CFO can support C-suite executives and business leaders in making vital decisions to help secure the business.

The CFO’s insight is critical across many areas of cybersecurity including:

  1. Ransomware: The CFO is responsible for approving funding and advising the company on significant issues such as whether cybercriminals should receive their desired ransom. They play a pivotal role in ensuring the organization is fully prepared for all potential outcomes.
  2. Cyber insurance: Considering the trend that premiums are increasing while insurance coverage is decreasing, the CFO’s input on cost and value are critical. They are in the best position to understand where the risks lie and the potential financial losses that could be incurred.
  3. Regulatory compliance: Regulatory compliance is key to not incurring unnecessary and costly fines. Using a quantified value, CFOs can translate cyber risk into a universally understood concept and determine thresholds for when specific incidents can be considered material threats. In working together, information security teams and CFOs can determine the most cost-efficient plan to reach their compliance goals.
  4. Managing budgets: Collaboration with the CFO can help CISOs produce efficient spending benchmarks and evaluate how current investments are being used. Consequently, they can better allocate budgets where the risk is higher, depending on the dollar value previously calculated.

Cyber risk isn’t going to disappear soon. Ransomware is on the rise, as are other cyber threats, and cyber criminals are continuously developing new tactics, which creates more risk. It is vital that organizations adequately prepare themselves by taking all necessary measures to secure their company from any kind of breach, including the involvement of the CFO in vital conversations and decision-making processes.

To sufficiently prepare for ransomware and other large-scale cyber attacks, C-suite executives must consider budgets not only for compliance, but also for their risk appetite. In this way, they will be able to better protect themselves, while maximizing efficiency of budget spend. They must actively collaborate with information security teams as well as chief financial officers to be prepared for today’s cyber risk landscape.

By Dave Sutor, CFO at RiskLens

The post Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk appeared first on IT Security Guru.

Gartner: 5 Considerations for I&O Leaders Planning Against Ransomware Attacks

Ransomware attacks are hitting organisations every day and infrastructure & operations (I&O) leaders are aggressively bolstering protection, detection and response capabilities against attacks.

However, questions remain as to whether existing disaster recovery (DR) and business continuity plans are sufficient for ransomware recovery.

To address this, I&O Leaders must consider five areas between the two recovery approaches, to better establish whether existing plans can withstand a potential ransomware attack.

  1. Similarities and Differences

Traditional DR and ransomware recovery have many similarities, including the need to coordinate with business continuity management, prioritise via recovery tiers and understand dependencies. Both also require procedures to assess the impact, declare and activate recovery plans, execute plans, and obtain clarity around access and maintenance.

However, ransomware recovery involves greater complexity and unpredictability and so it’s important to consider the business demand of the differing recovery steps in the process, which will naturally involve different stakeholders. These include varied recovery approaches, location, data loss, recovery time and the speed of a return to business as usual.

  1. Disaster Recovery Protects Against ‘Predictable’ Disasters

Traditional DR planning assumes that an entire location or application has failed, requiring failover to a DR location. These events can vary in scope, from regional power outages to IT equipment failure, and even natural disasters such as earthquakes, tornadoes and flooding, which destroy all infrastructure.

Planning for these events requires active or hot standby application infrastructure across data centres, which enables the failover to happen within a reasonable time, and with minimal or no data loss.

  1. Disaster Recovery Not Always Suitable for Ransomware Attacks

As of today, ransomware attacks are mostly well-planned where the attack can start weeks or months before the final ransomware assault. Typically, ransomware is only activated as the last step in a this well-prepared cyberattack, with attackers still having access during the attack.

Traditional DR usually relies on the replication and synchronisation of applications, data, and foundational network services between the primary site and the DR location. So, all the work the attackers do to compromise the production site will be replicated on the DR site. Consider that the contamination of the DR site will make it impossible to use standard recovery procedures after a cyberattack.

Contemplate that you may have to build from scratch in a worst-case situation and this will require planning to recover from alternative infrastructures, such as isolated recovery environments, cloud infrastructure, relocation sites and services.

  1. Disaster Recovery and Ransomware Recovery Follow Different Processes

Traditional DR activation follows a straightforward process where — after the disaster event is detected — an assessment is conducted to decide whether failover is required or not. After that, failover is executed and validated, and business continues. A well-planned failback (when applicable) can be executed when the primary environment is recovered.

Recovery from ransomware, on the other hand, requires multiple and more complex stages. In the first phase, there is a focus on stopping the attack from execution and propagation. In the second phase, forensic analysis is required to find out what happened, what ransomware was executed, the security issues at hand and how it infiltrated the infrastructure. During the third phase, analysis is required to find which network artefacts, apps, data and backups are affected.

Through phase four, there is a focus on the recovery of foundational infrastructure, by either a restore or a rebuild of all artefacts in the network, as well as storage and compute infrastructure, followed by a rebuild or recovery of network services like DNS and AD. In phase five, a dedicated isolated recovery environment (IRE) is leveraged to scan, repair, and validate operating and application/data systems to prepare for recovery back to the primary environment. Finally, in phase six, systems are migrated out of IRE back to production.

This level of impact on the entire infrastructure is what makes ransomware recovery so complex and unpredictable, as you need to first recover and resecure every impacted element in your infrastructure environment before you can recover systems, applications and their data. Examine the complexities that come along with the different processes and the demands this may ask of your organisation.

  1. Ransomware Recovery is a ‘Team Effort’

DR is often led by the DR team, which consists of the server team, network team, storage team, backup team, who all report to the DR manager, who then reports to the CIO. DR is part of the wider business continuity management process, where DR is responsible for the recovery of IT systems in a disaster situation.

Ransomware recovery, on the other hand, is initially led by the cybersecurity incident response team, which reports to the chief information security officer and is supported by other infrastructure and operations teams, including the DR team. Hence, recovery from a ransomware attack is far more of an all-enterprise effort and consider whether you have the resources to approach this appropriately.

Gartner analysts will further explore and compare disaster recovery and ransomware recovery at next year’s Gartner Security & Risk Management Summit 2023, taking place 26-28 September, in London, UK.

Jerry Rozeman is a Senior Director Analyst at Gartner

The post Gartner: 5 Considerations for I&O Leaders Planning Against Ransomware Attacks appeared first on IT Security Guru.

Researchers Quietly Cracked Zeppelin Ransomware Keys

Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called “Zeppelin” in May 2020. He’d been on the job less than six months, and because of the way his predecessor architected things, the company’s data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter’s bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. “Don’t pay,” the agent said. “We’ve found someone who can crack the encryption.”

Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder — Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn’t long before James discovered multiple vulnerabilities in the malware’s encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.

In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn’t want to tip its hand to Zeppelin’s creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed.

This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code.

“The minute you announce you’ve got a decryptor for some ransomware, they change up the code,” James said.

But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B’s referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists.

In a blog post published today to coincide with a Black Hat Dubai talk on their discoveries, James and co-author Joel Lathrop said they were motivated to crack Zeppelin after the ransomware gang started attacking nonprofit and charity organizations.

“What motivated us the most during the leadup to our action was the targeting of homeless shelters, nonprofits and charity organizations,” the two wrote. “These senseless acts of targeting those who are unable to respond are the motivation for this research, analysis, tools, and blog post. A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”

The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects.

“If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”

Unit 221B ultimately built a “Live CD” version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys.

A typical Zeppelin ransomware note.

Jon is another grateful Zeppelin ransomware victim who was aided by Unit 221B’s decryption efforts. Like Peter, Jon asked that his last name and that of his employer be omitted from the story, but he’s in charge of IT for a mid-sized managed service provider that got hit with Zeppelin in July 2020.

The attackers that savaged Jon’s company managed to phish credentials and a multi-factor authentication token for some tools the company used to support customers, and in short order they’d seized control over the servers and backups for a healthcare provider customer.

Jon said his company was reluctant to pay a ransom in part because it wasn’t clear from the hackers’ demands whether the ransom amount they demanded would provide a key to unlock all systems, and that it would do so safely.

“They want you to unlock your data with their software, but you can’t trust that,” Jon said. “You want to use your own software or someone else who’s trusted to do it.”

In August 2022, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint warning on Zeppelin, saying the FBI had “observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.”

The advisory says Zeppelin has attacked “a range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”

The FBI and CISA say the Zeppelin actors gain access to victim networks by exploiting weak Remote Desktop Protocol (RDP) credentials, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups, the alert notes.

Jon said he felt so lucky after connecting with James and hearing about their decryption work, that he toyed with the idea of buying a lottery ticket that day.

“This just doesn’t usually happen,” Jon said. “It’s 100 percent like winning the lottery.”

By the time Jon’s company got around to decrypting their data, they were forced by regulators to prove that no patient data had been exfiltrated from their systems. All told, it took his employer two months to fully recover from the attack.

“I definitely feel like I was ill-prepared for this attack,” Jon said. “One of the things I’ve learned from this is the importance of forming your core team and having those people who know what their roles and responsibilities are ahead of time. Also, trying to vet new vendors you’ve never met before and build trust relationships with them is very difficult to do when you have customers down hard now and they’re waiting on you to help them get back up.”

A more technical writeup on Unit 221B’s discoveries (cheekily titled “0XDEAD ZEPPELIN”) is available here.

Hive Group Admits to Leaking Data in Tata Power Ransomware Attack

Reports have said that the Hive ransomware-as-a-service (RaaS) group has claimed responsibility for the cyber-attack against Tata Power disclosed by the company on October 14 and believed to have occurred on October 3.

“The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” the Mumbai-based company said at the time.

Security researcher Rakesh Krishnan, has claimed that the leak has reportedly affected several of Tata’s 12 million customers and includes personally identifiable information (PII) like Aadhaar national identity card numbers, tax account numbers, salary information, addresses and phone numbers, among others.

It appears that many have taken Hive leaking the stolen data to mean that any ransomware negotiations failed, but Edward Liebig, global director of cyber-ecosystem at Hexagon, has suggested a different option.

“Let’s face it, even if negotiations are successful, there is still only a 50% chance of recovery of the encrypted assets,” Liebig told Infosecurity in an emailed statement.

“The decision to pay or not to pay is a business call. If the organization is in a very vulnerable position (recovery of assets is not possible), if there is a chance for extremely damaging information to be compromised, or if the potential business impact far outweighs the ransom payment, then the business may decide to pay.”

The executive has said another aspect to consider in this scenario is the rules of the cyber insurance carrier.

“Some Cyber Insurers prohibit the payment of a ransom,” Liebig said. “This means that a ransomware Incident Response (IR) playbook must have a very defined and comprehensive declaration and approval process that goes to the top of the executive team.”

Further to this, Liebig has said he believes that increasing the chances of defending against ransomware begins with watching the front and back doors.

“Watch for, block, and educate against incoming spam and phishing attempts. Know your assets and endpoints. Know and mitigate the vulnerabilities within your environment that enable the exploitation of those assets,” Liebig explained.

“The best way to defend against ransomware is never to let it take root in your systems. The next best way is to have a bulletproof, trusted recovery strategy to minimize downtime and eliminate the ‘ransom’ debate.”

The statistics published by Intel 471 and Digital Shadows, Hive was the third-most prevalent ransomware family observed in Q3 2022.

Lastly, the ransomware group also upgraded its tools to Rust in July to deliver more sophisticated encryption.

The post Hive Group Admits to Leaking Data in Tata Power Ransomware Attack appeared first on IT Security Guru.

OldGremlin Ransomware Fierce Comeback Against Russian Targets

Earlier today. a ransomware group which unusually targets Russian organizations has upped its efforts this year, demanding larger ransoms from its victims and developing new malware for Linux, according to Group-IB.

Yesterday, the security vendor released what it claimed was the first comprehensive report on the group known as “OldGremlin,” which was first spotted in 2020.

“That year, the gang carried out dozens of campaigns, with emails purporting to be from micro-finance companies, a metals and mining company, a tractor manufacturer, and a business media holding,” the report explained.

“In 2021, the group carried out a single but highly successful campaign: the threat actor impersonating an association of online retailers. In 2022, OldGremlin carried out five campaigns masquerading as tax and legal services companies, a payment system, an IT company, and more.”

Overall,  the gang has hit 16 organizations, a relatively low number compared to some of the more prolific ransomware groups. But it appears to have been more ambitious this year, demanding a record $16.9m from one victim, according to Group-IB.

In addition, OldGremlin has also expanded its efforts to target Linux systems with a new malware variant. Initial access is achieved by phishing email . They then deploy familiar tools like Cobalt Strike for lateral movement and other activity.

It appears that the group spends an average of 49 days inside victim networks before deploying the ransomware, meaning defenders have an opportunity to contain the threat if their detection and response is up to par, said Group-IB.

Additionally, as well as being unusual in targeting Russian organizations – in industries as diverse as banking, logistics, insurance, retail, real estate, software and even arms manufacturing – the group also takes “long breaks” after successful attacks, Group-IB noted.

Although, the vendor warned that OldGremlin may expand its geographical reach in time.

“OldGremlin has debunked the myth that ransomware groups are indifferent to Russian companies. According to our data, the gang’s track record includes almost 20 attacks with multi-million ransom demands, with large companies becoming their preferred targets more often,” said Ivan Pisarev, head of the dynamic malware analysis team.

“Despite the fact that OldGremlin has been focusing on Russia so far, they should not be underestimated elsewhere. Many Russian-speaking gangs started off by targeting companies in post-Soviet space and then switched to other geographies.”

The post OldGremlin Ransomware Fierce Comeback Against Russian Targets appeared first on IT Security Guru.

Magniber Ransomware Uses JavaScript to Attack Individual Users

A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.

Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims.

In previous news, Magniber was primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.

“Some malware families, such as Vjw0rm and GootLoader, rely exclusively on JavaScript, but have done so for some time,” Patrick Schläpfer, malware analyst at HP Wolf Security, told Infosecurity. “Currently, we are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction”

Remarkably , HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.

It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.

In addition, the user is asked to download a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10 software update.

Furthermore, for Magniber to access and block files, it needs to be executed on a Windows account with administrator privileges – a level of access which is much more commonplace in personal systems.

“Consumers can protect themselves by following ‘least-privilege’ principles – only logging on with their administrator account when strictly needed, and creating another account for everyday use,” explained Schläpfer. “Users can also reduce risk by making sure updates are only installed from trusted sources, checking URLs to ensure official vendor websites are used, and backing up data regularly to minimize the impact of a potential data breach.”

To conclude, the company noted that this ransomware does not fall into the category of Big Game Hunting but can still cause significant damage.

“This is not a shift away from big game hunting, but rather demonstrates that not only enterprises are the focus of ransomware groups, but home users as well,” Schläpfer said.

The post Magniber Ransomware Uses JavaScript to Attack Individual Users appeared first on IT Security Guru.

Ransomware Group Demand £500,000 From Bedfordshire School

Wooton Upper School in Bedfordshire suffered a ransomware attack this week, with hackers demanding £500,000 in ransom, according to reports.
The attack also affected the Kimberley college for 16-19 year olds, with both members of the Wootton Academy Trust. The attack was said to be the work of the Hive ransomware group.
The cybercriminals messaged parents and students to inform them of the compromise. Bank details, medical records, home addresses and psychological reviews were stolen in the attack.
On Tuesday, the Trust updated students and parents by saying that the disruption to its operations was limited due to the upcoming summer school holidays. The attack has, however, affected the production of some grade sheets along with scheduling for next year. They hope that backups will allow them to retrieve some data. Normal operations are expected to return within 10 days.
The Hive group believes that Wooton has £500,000 in cyber insurance, according to Bedford Today, a local newspaper. It has threatened the Trust with the release of all data unless they pay up.
The trust said, “we understand there may be concerns about whether any pupil/student data has been impacted. While we don’t have firm answers to these questions at the moment, this is our number one priority of the ongoing investigations.”
Global cybersecurity advisor at ESET and former head of digital forensics at Dorset Police, Jake Moore, warned that the potential release of stolen data could pose a big problem for the Trust, even though the timing minimised disruption for the school.
Moore suggested that the damage could last for years. He added that local authorities often lack the funds to pay the desired ransoms, suggesting that this may not have been a targeted attack, rather it may have just been an attack caught up in a broader sweep of vulnerable systems.

The post Ransomware Group Demand £500,000 From Bedfordshire School appeared first on IT Security Guru.