Why it’s hard to sanction ransomware groups

A ransom message on a monochrome computer screen.

Enlarge (credit: Rob Engelaar | Getty Images)

This story was originally published by ProPublica.

On February 25, the day after Russia invaded Ukraine, a prolific ransomware gang called Conti made a proclamation on its dark website. It was an unusually political statement for a cybercrime organization: Conti pledged its “full support of Russian government” and said it would use “all possible resources to strike back at the critical infrastructures” of Russia’s opponents.

Perhaps sensing that such a public alliance with the regime of Russian President Vladimir Putin could cause problems, Conti tempered its declaration later that day. “We do not ally with any government and we condemn the ongoing war,” it wrote in a follow-up statement that nonetheless vowed retaliation against the United States if it used cyberwarfare to target “any Russian-speaking region of the world.”

Read 17 remaining paragraphs | Comments

#biz-it, #ransomware, #russia, #ukraine-invasion

Ransomware sent North Carolina A&T University scrambling to restore services

Stock photo of ransom note with letters cut out of newspapers and magazines.

Enlarge (credit: Getty Images)

North Carolina A&T State University, the largest historically black college in the US, University was recently struck by a ransomware Group called ALPHV, sending university staff into a scramble to restore services last month.

“It’s affecting a lot of my classes, especially since I do take a couple of coding classes, my classes have been canceled,” Melanie McLellan, an industrial system engineering student, told the school newspaper, The A&T Register. “They have been remote, I still haven’t been able to do my assignments.”

The paper said the breach occurred the week of March 7 while students and faculty were on spring break. Systems taken down by the intrusion included wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management, and Chrome River, many of which remained down when the student newspaper published its story two weeks ago.

Read 7 remaining paragraphs | Comments

#biz-it, #ransomware

Leaked ransomware documents show Conti helping Putin from the shadows

Leaked ransomware documents show Conti helping Putin from the shadows

Enlarge (credit: Wired | Getty Images)

For years, Russia’s cybercrime groups have acted with relative impunity. The Kremlin and local law enforcement have largely turned a blind eye to disruptive ransomware attacks as long as they didn’t target Russian companies. Despite direct pressure on Vladimir Putin to tackle ransomware groups, they’re still intimately tied to Russia’s interests. A recent leak from one of the most notorious such groups provides a glimpse into the nature of those ties—and just how tenuous they may be.

A cache of 60,000 leaked chat messages and files from the notorious Conti ransomware group provides glimpses of how the criminal gang is well connected within Russia. The documents, reviewed by WIRED and first published online at the end of February by an anonymous Ukrainian cybersecurity researcher who infiltrated the group, show how Conti operates on a daily basis and its crypto ambitions. They likely further reveal how Conti members have connections to the Federal Security Service (FSB) and an acute awareness of the operations of Russia’s government-backed military hackers.

Read 11 remaining paragraphs | Comments

#biz-it, #conti, #fancy-bear, #hacking, #ransomware, #russia, #state-sponsored-hacking

Feds extradite ransomware suspects from 2 prolific gangs in a single week

Feds extradite ransomware suspects from 2 prolific gangs in a single week

Enlarge (credit: Getty Images)

Federal prosecutors extradited two suspected ransomware operators, including a man they said was responsible for an intrusion that infected as many as 1,500 organizations in a single stroke, making it one of the worst supply chain attacks ever.

Yaroslav Vasinskyi, 22, was arrested last August as he crossed from his native country of Ukraine into Poland. This week, he was extradited to the US to face charges that carry a maximum penalty of 115 years in prison. Vasinskyi arrived in Dallas, Texas, on March 3 and was arraigned on Wednesday.

First up: Sodinokibi/REvil

In an indictment, prosecutors said that Vasinskyi is responsible for the July 2, 2021 attack that first struck remote management software seller Kaseya and then caused its infrastructure to infect 800 to 1,500 organizations that relied on the Kaseya software. Sodinokibi/REvil, the ransomware group Vasinskyi allegedly worked for or partnered with, demanded $70 million for a universal decryptor that would restore all victims’ data.

Read 9 remaining paragraphs | Comments

#biz-it, #criminal-justice, #extortion, #indictments, #ransomware

Cybercriminals who breached Nvidia issue one of the most unusual demands ever

Close-up photograph of high-end computer component.

Enlarge (credit: Getty Images)

Data extortionists who stole up to 1 terabyte of data from Nvidia have delivered one of the most unusual ultimatums ever in the annals of cybercrime: allow Nvidia’s graphics cards to mine cryptocurrencies faster or face the imminent release of the company’s crown-jewel source code.

A ransomware group calling itself Lapsus$ first claimed last week that it had hacked into Nvidia’s corporate network and stolen more than 1TB of data. Included in the theft, the group claims, are schematics and source code for drivers and firmware. A relative newcomer to the ransomware scene, Lapsus$ has already published one tranche of leaked files, which among other things included the usernames and cryptographic hashes for 71,335 of the chipmaker’s employees.

The group then went on to make the highly unusual demand: remove a feature known as LHR, short for “Lite Hash Rate,” or see the further leaking of stolen data.

Read 7 remaining paragraphs | Comments

#biz-it, #lapsus, #nvidia, #ransomware

Conti cybergang gloated when leaking victims’ data. Now the tables are turned

A skull and crossbones on a computer screen are surrounded by ones and zeroes.

Enlarge (credit: Getty Images)

For months, members of Conti—among the most ruthless of the dozens of ransomware gangs in existence—gloated about publicly sharing the data they stole from the victims they hacked. Now, members are learning what it’s like to be on the receiving end of a major breach that spills all their dirty laundry—not just once, but repeatedly.

The unfolding series of leaks started on Sunday when @ContiLeaks, a newly created Twitter account, began posting links to logs of internal chat messages that Conti members had sent among themselves.

Two days later, ContiLeaks published a new tranche of messages.

Read 13 remaining paragraphs | Comments

#biz-it, #breach, #conti, #ransomware

Hacking group is on a tear, hitting US critical infrastructure and SF 49ers

A helmet for the San Francisco 49ers football team.

Enlarge (credit: Getty Images)

A couple days after the FBI warned that a ransomware group called BlackByte had compromised critical infrastructure in the US, the group hacked servers belonging to the San Francisco 49ers football team and held some of the team’s data for ransom.

Media representatives for the NFL franchise confirmed a security breach to multiple news outlets following a post on BlackByte’s site on the dark web. The site promises victims that, in exchange for big payouts, BlackByte will not leak data. Instead, the bad actors will provide victims with a decryption key that allows the data to be recovered. The recent post made a 379MB file named “2020 Invoices” available for download. The file appeared to show hundreds of billing statements the 49ers had sent partners including AT&T, Pepsi, and the city of Santa Clara, where the 49ers play home games.

A busy three months

In statements provided to the Associated Press, Bleeping Computer, and The Record, franchise representatives said investigators were still assessing the breach.

Read 8 remaining paragraphs | Comments

#biz-it, #critical-infrastructure, #exploits, #ransomware, #san-francisco-49ers, #vulnerabilities

Hactivists say they hacked Belarus rail system to stop Russian military buildup

Servicemen of Russia's Eastern Military District units attend a welcoming ceremony as they arrive in Belarus to take part in joint military exercises. Russia's military is combining its own means of transport with train travel.

Enlarge / Servicemen of Russia’s Eastern Military District units attend a welcoming ceremony as they arrive in Belarus to take part in joint military exercises. Russia’s military is combining its own means of transport with train travel. (credit: Getty Images)

Hacktivists in Belarus said on Monday they had infected the network of the country’s state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine.

Referring to the Belarus Railway, a group calling itself Cyber ​​Partisans wrote on Telegram:

BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land. As part of the “Peklo” cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed.

Dozens of databases have been cyberattacked, including AS-Sledd, AS-USOGDP, SAP, AC-Pred, pass.rw.by, uprava, IRC, etc.

⚠ Automation and security systems were deliberately NOT affected by a cyber attack in order to avoid emergency situations.

The group also announced the attack by Twitter.

Read 11 remaining paragraphs | Comments

#belarus, #biz-it, #hacktivism, #policy, #ransomware, #russia

Russia says it has neutralized the cutthroat REvil ransomware gang

Skull and crossbones in binary code

Enlarge (credit: Getty Images)

Russian law enforcement authorities said on Friday that they have arrested 14 people associated with REvil, a top ransomware group that has disrupted critical operations of wealthy targets and held their data hostage.

The action, carried out by Russia’s FSB, the successor agency to the KGB, is a rare example of the country’s government cracking down on cybercrime by its citizens. The US and Russia have no extradition treaty in place, and critics have said the Kremlin routinely harbors cybercriminals as long as they don’t target organizations located in the former Soviet Union. The arrests come as tensions between Russia and the US escalate over a standoff involving Ukraine.

Big-game hunter neutralized

“The FSB of Russia established the full composition of the criminal community ‘REvil’ and the involvement of its members in the illegal circulation of means of payment and documented illegal activities,” Russian officials wrote. “In order to implement the criminal plan, these persons developed malicious software and organized the theft of funds from the bank accounts of foreign citizens and their cashing, including by purchasing expensive goods on the Internet.”

Read 5 remaining paragraphs | Comments

#biz-it, #ransomware, #revil, #russia

As Log4Shell wreaks havoc, payroll service reports ransomware attack

As Log4Shell wreaks havoc, payroll service reports ransomware attack

Enlarge (credit: Getty Images)

As the world is beset by Log4Shell, arguably the most severe vulnerability ever, one of the biggest payroll processors is reporting a ransomware attack that has taken its systems offline for at least the next several weeks. So far, it’s not saying if that vulnerability was the means hackers used to breach the systems.

The company said on Sunday that services using the Kronos Private Cloud had been unavailable for the past day, with the attack taking down Kronos’ UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions services.

“At this time, we still do not have an estimated restoration time, and it is likely that the issue may require at least several days to resolve,” Kronos representative Leo Daley wrote. “We continue to recommend that our impacted customers evaluate alternative plans to process time and attendance data for payroll processing, to manage schedules, and to manage other related operations important to their organization.”

Read 6 remaining paragraphs | Comments

#biz-it, #log4shell, #ransomware

Ransomware attack on Planned Parenthood steals data of 400,000 patients

A ransom message on a monochrome computer screen.

Enlarge (credit: Rob Engelaar | Getty Images)

Ransomware hackers broke into a Planned Parenthood network and accessed medical records or other sensitive data for more than 400,000 patients of the reproductive health care group.

The disclosure came in a sample letter posted to the California attorney general’s website and a release published by the organization. Both said that the intrusion and data theft was limited to patients of Planned Parenthood’s Los Angeles chapter. Organization personnel first noticed the hack on October 17 and conducted an investigation.

“The investigation determined that an unauthorized person gained access to our network between
October 9, 2021 and October 17, 2021, and exfiltrated some files from our systems during that time,” the letter stated. It went on to say: “On November 4, 2021, we identified files that contained your name and one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.”

Read 5 remaining paragraphs | Comments

#biz-it, #nonprofits, #planned-parenthood, #ransomware

Hackers backed by Iran are targeting US critical infrastructure, US warns

Illustration set of flags made from binary code targets.

Enlarge / Illustration set of flags made from binary code targets. (credit: Getty Images)

Organizations responsible for critical infrastructure in the US are in the crosshairs of Iranian government hackers, who are exploiting known vulnerabilities in enterprise products from Microsoft and Fortinet, government officials from the US, UK, and Australia warned on Wednesday.

A joint advisory published Wednesday said an advanced-persistent-threat hacking group aligned with the Iranian government is exploiting vulnerabilities in Microsoft Exchange and Fortinet’s FortiOS, which forms the basis for the latter company’s security offerings. All of the identified vulnerabilities have been patched, but not everyone who uses the products has installed the updates. The advisory was released by the FBI, US Cybersecurity and Infrastructure Security Agency, the UK’s National Cyber Security Center, and the Australian Cyber Security Center.

A broad range of targets

“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations,” the advisory stated. “FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”

Read 13 remaining paragraphs | Comments

#advanced-persistent-threat, #iran, #ransomware, #tech

US charges Ukrainian and Russian nationals over ransomware attacks

Russian national Yevgyeniy Polyanin remains at large.

Enlarge / Russian national Yevgyeniy Polyanin remains at large. (credit: FBI)

US authorities have brought criminal charges against a Ukrainian and a Russian national for their roles in high-profile ransomware attacks as part of a sprawling global crackdown on digital extortion groups.

The US justice department on Monday said it had charged Ukrainian Yaroslav Vasinskyi, 22, for allegedly conducting one of the largest global supply chain ransomware attacks, the Kaseya hack, among others. The US said it is seeking to extradite Vasinskyi, who was arrested in Poland after crossing the border from Ukraine, Merrick Garland, attorney general, said.

The sprawling hack in July hit information technology management software supplier Kaseya and an estimated 1,500 of its clients and clients’ clients. The attack forced Swedish supermarket chain Coop to close nearly all of its 800 stores.

Read 13 remaining paragraphs | Comments

#policy, #ransomware, #revil, #revil-ransomware, #russia

FBI, others crush REvil using ransomware gang’s favorite tactic against it

FBI, others crush REvil using ransomware gang’s favorite tactic against it

Enlarge (credit: Aurich Lawson)

Four days ago, the REvil ransomware gang’s leak site, known as the “Happy Blog,” went offline. Cybersecurity experts wondered aloud what might have caused the infamous group to go dark once more.

One theory was that it was an inside job pulled by the group’s disaffected former leader. Another was that law enforcement had successfully hacked and dismantled the group. “Normally, I am pretty dismissive of ‘law enforcement’ conspiracy theories, but given that law enforcement was able to pull the keys from the Kaseya attack, it is a real possibility,” Allan Liska, a ransomware expert, told ZDNet at the time.

“Rebranding happens a lot in ransomware after a shutdown,” he said. “But no one brings old infrastructure that was literally being targeted by every law enforcement operation not named Russia in the world back online. That is just dumb.”

Read 9 remaining paragraphs | Comments

#fbi, #hacking, #national-security, #policy, #ransomware, #revil

Russia arrests cybersecurity expert on treason charge

KAZAN, RUSSIA - JULY 9, 2020: Group-IB CEO and founder Ilya Sachkov speaks during a panel discussion with representatives of the IT industry at Innopolis' Popov Technopark.

Enlarge / KAZAN, RUSSIA – JULY 9, 2020: Group-IB CEO and founder Ilya Sachkov speaks during a panel discussion with representatives of the IT industry at Innopolis’ Popov Technopark. (credit: Dmitry Astakhov | Getty Images)

The founder of one of Russia’s largest cybersecurity companies has been arrested on suspicion of state treason and will be held in a notorious prison run by the security services for the next two months, a Moscow court said on Wednesday.

The charges against Ilya Sachkov, founder of Group-IB, are classified and details of them were not immediately clear. State-run news agency Tass cited an anonymous source who said Sachkov denied passing on secret information to foreign intelligence services.

Group-IB, which specializes in preventing cybercrime and ransomware, confirmed that law enforcement raided its officers yesterday but said it did not know the reason for Sachkov’s arrest.

Read 11 remaining paragraphs | Comments

#biz-it, #cybersecurity, #group-ib, #policy, #ransomware, #russia

Ransomware victims panicked while FBI secretly held REvil decryption key

Circular seal against a marble wall.

Enlarge / The seal of the Federal Bureau of Investigation (FBI) is seen at the J. Edgar Hoover building in Washington, D.C. (credit: Andrew Harrer/Bloomberg)

For three weeks during the REvil ransomeware attack this summer, the FBI secretly withheld the key that would have decrypted data and computers on up to 1,500 networks, including those run by hospitals, schools, and businesses.

The FBI had penetrated the REvil gang’s servers to obtain the key, but after discussing it with other agencies, the bureau decided to wait before sending it to victims for fear of tipping off the criminals, The Washington Post reports. The FBI hadn’t want to tip off the REvil gang and had hoped to take down their operations, sources told the Post.

Instead, REvil went dark on July 13 before the FBI could step in. For reasons that haven’t been explained, the FBI didn’t cough up the key until July 21.

Read 6 remaining paragraphs | Comments

#biz-it, #encryption, #fbi, #ransomware, #revil, #russian-hacking

$5.9 million ransomware attack on farming co-op may cause food shortage

$5.9 million ransomware attack on farming co-op may cause food shortage

Enlarge (credit: Raphael Rychetsky)

Iowa-based provider of agriculture services NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to take its systems offline. The BlackMatter group that is behind the attack has put forth a $5.9 million ransom demand. The farming cooperative is seen stating the attack could significantly impact the public supply of grain, pork, and chicken if it cannot bring its systems back online.

BlackMatter says it doesn’t hit “critical infrastructure”

Ransomware group BlackMatter has hit NEW Cooperative and is demanding $5.9 million to provide a decryptor, according to screenshots shared online by threat intel analysts.

“Your website says you do not attack critical infrastructure. We are critical infrastructure… intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain,” a NEW Cooperative representative appears to be telling BlackMatter during a private negotiation chat.

Read 11 remaining paragraphs | Comments

#biz-it, #blackmatter, #critical-infrastructure, #cyber-attack, #food-supply-chain, #ransomware, #supply-chain, #tech

Ransomware: A market problem deserves a market solution

REvil is a solid choice for a villain’s name: R Evil. Revil. Evil and yet fun. I could imagine Black Widow, Hulk and Spider-Man teaming up to topple the leadership of REvil Incorporated.

The criminal gang using the name REvil may have enabled ransomware attacks on thousands of small businesses worldwide this summer — but the ransomware problem is bigger than REvil, LockBit or DarkSide. REvil has disappeared from the internet, but the ransomware problem persists.

REvil is a symptom, not the cause. I advise Tony Stark and his fellow Avengers to look past any one criminal organization — because there is no evil mastermind. Ransomware is just the latest in the 50,000-year evolution of petty criminals discovering get-rich-quick schemes.

The massive boom in the number of ransomware occurrences arises from the lack of centralized control. More than 304 million ransomware attacks hit global businesses last year, with costs surpassing $178,000 per event. Technology has created a market where countless petty criminals can make good money fast. The best way to fight this kind of threat is with a market-based approach.

The spike in global ransomware attacks reflects a massive “dumbing down” of criminal activity. People looking to make an illicit buck have many more options available to them today than they did even two years ago. Without technical chops, people can steal your data, hold it for ransom and coerce you to pay to get it back. Law enforcement has not yet responded to combat this form of cybercrime, and large, sophisticated criminal networks have likewise not yet figured out how to control the encroaching upstarts.

The spike in ransomware attacks is attributable to the “as a service” economy. In this case, we’re talking about RaaS, or ransomware as a service. This works because each task in the ransomware chain benefits from the improved sophistication enabled by the division of labor and specialization.

Someone finds a vulnerable target. Someone provides bulletproof infrastructure outside of the jurisdiction of responsible law enforcement. Someone provides the malicious code. The players all come together without knowing each other’s names. No need to meet in person as Mr. Pink, Mr. Blonde and Mr. Orange because the ability to coordinate tasks has become simple. The rapid pace of technological innovation created a decentralized market, enabling amateurs to engage in high-dollar crimes.

There’s a gig economy for the underworld just like there is for the legal business world. I’ve built two successful software companies, even though I’m an economist. I use open source software and rent infrastructure via cloud technologies. I operated my first software company for six years before I sought outside capital, and I used that money for marketing and sales more than technology.

This tech advancement is both good and bad. The global economy did better than expected during a global pandemic because technology enabled many people to work from anywhere.

But the illicit markets of crime also benefited. REvil provided a service — a piece of a larger network — and earned a share of proceeds from ransomware attacks committed by others — like Jeff Bezos and Amazon get a share of my company’s revenues for the services they provide to me.

To fight ransomware attacks, appreciate the economics — the markets that enable ransomware — and change the market dynamics. Specifically, do three things:

1. Analyze the market like a business executive

Any competitive business thinks about what’s allowing competitors to succeed and how they can outcompete. The person behind a ransomware strike is an entrepreneur or a worker in a firm engaged in cybercrime, so start with good business analytics using data and smart business questions.

Can the crypto technologies that enable the crime also be used to enable entity resolution and deny anonymity/pseudonymity? Can technology undermine a criminal’s ability to recruit, coordinate or move, store and spend the proceeds from criminal activities?

2. Define victory in market terms

Doing the analytics to understand competing firms allows one to more clearly see the market for ransomware. Eliminating one “firm” often creates a power vacuum that will be filled by another, provided the market remains the same.

REvil disappeared, but ransomware attacks persist. Victory in market terms means creating markets in which criminals choose not to engage in the activity in the first place. The goal is not to catch criminals, but to deter the crime. Victory against ransomware happens when arrests drop because attempted attacks drop to near zero.

3. Combat RaaS as an entrepreneur in a competitive market

To prevent ransomware is to fight against criminal entrepreneurs, so the task requires one to think and fight crime like an entrepreneur.

Crime-fighting entrepreneurs require collaboration — networks of government officials, banking professionals and technologists in the private sector across the globe must come together.

Through artificial intelligence and machine learning, the capability to securely share data, information and knowledge while preserving privacy exists. The tools of crime become the tools to combat crime.

No evil mastermind sits in their lair laughing at the chaos inflicted on the economy. Instead, growing numbers of amateurs are finding ways to make money quickly. Tackling the ransomware industry requires the same coordinated focus on the market that enabled amateurs to enter cybercrime in the first place. Iron Man would certainly agree.

#column, #computer-security, #crime, #cybercrime, #machine-learning, #malware, #open-source-software, #ransomware, #security, #security-breaches, #tc

Technology giant Olympus hit by BlackMatter ransomware

Olympus said in a brief statement Sunday that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.

“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.

But according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident prior to Olympus acknowledging the incident on Sunday.

A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. “Your network is encrypted, and not currently operational,” it reads. “If you pay, we will provide you the programs for decryption.” The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter to communicate with its victims.

Read more on TechCrunch

Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site in the ransom note is associated with the BlackMatter group.

BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the U.S. government, which promised to take action if critical infrastructure was hit again.

Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.

Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but that the total number of victims is likely to be significantly higher.

Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it, and later threaten to publish the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and touts stolen data, did not have an entry for Olympus at the time of publication.

Japan-headquartered Olympus manufactures optical and digital reprography technology for the medical and life sciences industries. Until recently, the company built digital cameras and other electronics until it sold its struggling camera division in January.

Olympus said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Christian Pott, a spokesperson for Olympus, did not respond to emails and text messages requesting comment.

#africa, #colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #digital-cameras, #electronics, #kaseya, #middle-east, #olympus, #ransomware, #security, #spokesperson, #u-s-government, #united-states

Howard University cancels classes after ransomware attack

Washington D.C’s Howard University has canceled classes after becoming the latest educational institution to be hit by a ransomware attack.

The incident was discovered on September 3, just weeks after students returned to campus, when the University’s Enterprise Technology Services (ETS) detected “unusual activity” on the University’s network and intentionally shut it down in order to investigate.

“Based on the investigation and the information we have to date, we know the University has experienced a ransomware cyberattack,” the university said in a statement. While some details remain unclear — it’s unknown who is behind the attack or how much of a ransom was demanded — Howard University said that there is no evidence so far to suggest that personal data of its 9,500 undergraduate and graduate students been accessed or exfiltrated. 

“However, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed,” the statement said.

In order to enable its IT team to fully assess the impact of the ransomware attack, Howard University has canceled Tuesday’s classes, opening its campus to essential employees only. Campus Wi-Fi will also be down while the investigation is underway, though cloud-based software will remain available to students and teachers. 

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data,” the university said. “We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering.”

But the university warned that that remediation will be “a long haul — not an overnight solution.”

Howard University is the latest in a long line of educational institutions to be hit by ransomware since the start of the pandemic, with the FBI’s Cyber Division recently warning that cybercriminals using this type of attack are focusing heavily on schools and universities due to the widespread shift to remote learning. Last year, the University of California paid $1.14 million to NetWalker hackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

According to Emsisoft threat analyst Brett Callow last month, ransomware attacks have disrupted 58 U.S. education organizations and school districts, including 830 individual schools, so far in 2021. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

“We’ll likely see a significant increase in ed sector incidents in the coming weeks,” Callow tweeted on Tuesday.

#california, #cloud-based-software, #crime, #crimes, #cyberattacks, #cybercrime, #federal-bureau-of-investigation, #ransomware, #security, #united-states, #university-of-california, #utah, #washington

Why ransomware hackers love a holiday weekend

Gah, don't you miss unstressed travel?

Enlarge / Gah, don’t you miss unstressed travel? (credit: Klaus Vedfelt / Getty Images)

On the Friday heading into Memorial Day weekend this year, it was meat processing giant JBS. On the Friday before the Fourth of July, it was IT management software company Kaseya and, by extension, over a thousand businesses of varying size. It remains to be seen whether Labor Day will see a high-profile ransomware meltdown as well, but one thing is clear: Hackers love holidays.

Really, ransomware hackers love regular weekends, too. But a long one? When everyone’s off carousing with family and friends and studiously avoiding anything remotely office-related? That’s the good stuff. And while the trend isn’t new, a joint warning issued this week by the FBI and the Cybersecurity and Infrastructure Security Agency underscores how serious the threat has become.

The appeal to attackers is pretty straightforward. Ransomware can take time to propagate throughout a network, as hackers work to escalate privileges for maximum control over the most systems. The longer it takes for anyone to notice, the more damage they can do. “Generally speaking, the threat actors deploy their ransomware when there is less likelihood of people being around to start pulling plugs,” says Brett Callow, threat analyst at antivirus company Emsisoft. “The less chance of the attack being detected and interrupted.”

Read 10 remaining paragraphs | Comments

#biz-it, #ransomware

Hunters brings in $30M Series B to grow XDR security tech

With the growing volume of ransomware and supply chain security attacks, there is a need for organizations to more rapidly detect threats. It’s that opportunity that startup Hunters is looking to capitalize on as the company today announced that it has raised a $30 million Series B round led by Bessemer Venture Partners (BVP).

Hunters, which has offices in Newton, Mass. and Tel Aviv, Israel, was founded in 2018 and has raised a total of $50.4 million to date. The company raised a seed round of $5.4 million in May 2019 led by YL Ventures and Blumberg Capital. A $15M Series A round followed in June 2020 with participation from Microsoft’s M12 and U.S. Venture Partners. An additional growth round was announced in December 2020, with Snowflake Ventures investing in Hunters.

The startup  builds a technology known as Extended Threat Detection and Response (XDR) which pulls in data from different sources and sensors. All that data is then correlated and analyzed to ‘hunt’ for potential indicators of compromise. Hunters co-founder and CEO Uri May explained that his company’s Open XDR platform can help to identify the tactics, techniques and procedures (TTPs) that attackers use to gain access and exploit an organization. The goal is to help reduce the time to detection and accelerate the time to response for a potential security incident.

The involvement of Snowflake Ventures as an investor as well as Snowflake as a partner for Hunters is one of the reasons that attracted Bessemer to the company. Alex Ferrara, partner at BVP said that from his perspective while there are other vendors in the same space as Hunters, none of them have partnered with a cloud data warehouse vendor like Snowflake, which was a big differentiator for him. Overall, it’s the market landscape and current state of cyberattacks that makes Hunters an interesting startup for Ferrara and his firm.

“We are excited about Hunters because you know we are seeing the institutionalization of ransomware,” Ferrara, told TechCrunch. “So I think there is a need for something like Hunters that can be more proactive in a world where I think many enterprises and mid-market companies have already been compromised.”

Another key market trend that Ferrara sees Hunters fitting into is with the need to help fill the gap for talented security professionals. Hunters’ technology makes use of automation and machine learning, such that security analysts are able to be more effective in a shorter amount of time.

May said that the new funding will help to move Hunters to the next stage of the startup company’s evolution. To date, he said the company has hit its own internal milestones for customer acquisition and revenues, finding a good market fit for its XDR technology. Now he’s looking to scale the business, growing the go-to-market sales and marketing initiatives and partner efforts. May emphasized that he’s also keen to use the funding to cut through the increasingly noisy business of security technology with new innovations that will disrupt the market, providing even more capabilities to users.

Among the new innovations that Hunters is working on is enhanced machine learning technology to better understand and correlate sources of information. Expanding sources for the Hunters platform is another area where May expects to expand his company’s platform, with the future integration of more threat intelligence data feeds.

“There’s a very elaborate and unique roadmap that we’re working on in terms of innovation that is related to the research that we’re conducting around cybersecurity,” May said.

 

#bessemer-venture-partners, #blumberg-capital, #m12, #ransomware, #security, #snowflake-ventures, #tel-aviv, #yl-ventures

Ransomware recovery can be costly, and not just because of the ransom

Ransomware is rarely out of the headlines. Just last week, IT consulting giant Accenture was hit by the LockBit ransomware gang, days after Taiwan-based laptop maker Gigabyte also fell victim to an apparent ransomware attack, leading the hackers to leak gigabytes of confidential AMD and Intel data.

Unsurprisingly, ransomware — which has rocketed in activity during the pandemic — remains among the most costly to businesses, with large U.S companies losing an average of $5.66 million each year to ransomware. But new findings show that is not for the reason you might think.

While we often hear of multimillion-dollar ransom payments made by hackers, research from Proofpoint and the Ponemon Institute found that ransom payments typically account for less than 20% of the total cost of a ransomware attack. Of that $5.66 million figure each year, just $790,000 accounts for ransom payments. Rather, the research shows businesses suffer the majority of their losses through lost productivity and the time-consuming task of containing and cleaning up after a ransomware attack.

Proofpoint says that the remediation process for an average-sized organization takes on average 32,258 hours, which when multiplied by the average $63.50 IT hourly wage totals more than $2 million. Downtime and lost productivity is another costly consequence of ransomware attacks; the research shows that phishing attacks, for example, which were determined as the root cause of almost one-fifth of ransomware attacks last year, have led to employee productivity losses of $3.2 million in 2021, up from $1.8 million in 2015. 

“In the wake of a ransomware attack, communication and interaction between employees and any effected external parties must increase massively, causing many teams to have to drop all existing work as part of their ‘day job’ immediately and focus on this urgent matter, for potentially days, weeks or even months,” Proofpoint’s Andrew Rose told TechCrunch.

“They automatically face more scrutiny from customers, regulators and have to increase reliance on third parties. This may include a significant increase in external audits by customers and regulators, which again increases workload cost. There’s also the potential of regulatory fines, or class action lawsuits from customers,” said Rose.

This isn’t all businesses have to contend with from a financial point of view; organizations hit by ransomware are also likely to face an increase in cyber insurance costs, hefty IT expenditure and likely will have to cough up for PR teams, legal staff, customer services and external specialists. There’s also the brand and reputational fallout from such attacks: recent research from Cybereason shows that more than half of U.S. companies reported their brand was tarnished as a result of a ransomware attack. 

“For public organizations, there is also the potential for the share price to fall,” Rose adds. “Customers can also lose trust in a business once they know their data may have been at risk, which may in turn cause them to jump ship to a competitor, costing revenue.”

#crime, #cyberattacks, #cybercrime, #intel, #phishing, #ransomware, #security

Don’t give your weed dealer all your data

Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast, where we unpack the numbers behind the headlines.

Our beloved Danny was back, joining Natasha and Alex and Grace and Chris to chat through yet another incredibly busy week. As a window into our process, every week we tell one another that the next week we’ll cut the show down to size. Then the week is so interesting that we end up cutting a lot of news, but also keeping a lot of news. The chaotic process is a work in progress, but it means that the end result is always what we decided we can’t not talk about.

Here’s what we got into:

Equity drops every Monday at 7:00 a.m. PDT, Wednesday, and Friday morning at 7:00 a.m. PDT, so subscribe to us on Apple PodcastsOvercastSpotify and all the casts.

#climate-change, #cloud-100, #data, #disaster-tech, #dreamforce, #edtech, #equity, #equity-podcast, #felt, #figma, #fundings-exits, #gusto, #india, #ipcc-report, #mailchimp, #pave, #ransomware, #rapidsos, #salesforce, #startups, #surfside, #trendyol, #turkey, #upgrad

Siga secures $8.1M Series B to prevent cyberattacks on critical infrastructure

Siga OT Solutions, an Israeli cybersecurity startup that helps organizations secure their operations by monitoring the raw electric signals of critical industrial assets, has raised $8.1 million in Series B funding.

Siga’s SigaGuard says its technology, used by Israel’s critical water facilities and the New York Power Authority, is unique in that rather than monitoring the operational network, it uses machine learning and predictive analysis to “listen” to Level 0 signals. These are typically made up of components and sensors that receive electrical signals, rather than protocols or data packets that can be manipulated by hackers.

By monitoring Level 0, which Siga describes as the “richest and most reliable level of process data within any operational environment,” the company can detect cyberattacks on the most critical and vulnerable physical assets of national infrastructures. This, it claims, ensures operational resiliency even when hackers are successful in manipulating the logic of industrial control system (ICS) controllers.

Amir Samoiloff, co-founder and CEO of Siga, says: “Level 0 is becoming the major axis in the resilience and integrity of critical national infrastructures worldwide and securing this level will become a major element in control systems in the coming years.”

The company’s latest round of funding — led by PureTerra Ventures, with investment from Israeli venture fund SIBF, Moore Capital, and Phoenix Contact — comes amid an escalation in attacks against operational infrastructure. Israel’s water infrastructure was hit by three known cyberattacks in 2020 and these were followed by an attack on the water system of a city in Florida that saw hackers briefly increase the amount of sodium hydroxide in Oldsmar’s water treatment system. 

The $8.1 million investment lands three years after the startup secured $3.5 million in Series A funding. The company said it will use the funding to accelerate its sales and strategic collaborations internationally, with a focus on North America, Europe, Asia, and the United Arab Emirates. 

Read more:

#articles, #asia, #computer-security, #cryptography, #cyberattack, #cybercrime, #cybersecurity-startup, #cyberwarfare, #data-security, #energy, #europe, #florida, #israel, #machine-learning, #north-america, #nozomi-networks, #phoenix, #ransomware, #security, #united-arab-emirates

A Silicon Valley VC firm with $1.8B in assets was hit by ransomware

Advanced Technology Ventures, a Silicon Valley venture capital firm with more than $1.8 billion in assets under its management, was hit by a ransomware attack in July that saw cybercriminals steal personal information on the company’s private investors, or limited partners (LPs).

In a letter to the Maine attorney general’s office, ATV said it became aware of the attack on July 9 after its servers storing financial information had been encrypted by ransomware. By July 26, the ATV learned that data had been stolen from the servers before the files were encrypted, a common “double extortion” tactic used by ransomware groups, which then threaten to publish the files online if the ransom to decrypt the files is not paid.

The letter said ATV believes the names, email addresses, phone numbers and Social Security numbers of the individual investors in ATV’s funds were stolen in the attack. Some 300 individuals were affected by the incident, including one person in Maine, according to a listing on the Maine attorney general’s data breach notification portal.

Venture capital firms often do not disclose all of their LPs — the investors who have thrown millions into an investment vehicle — to the public. A number of pre-approved names may be included in an announcement, but overall, a company’s private investors try to stay that way: private. The reasons vary, but it comes down to secrecy and a degree of competitive advantage: The firm may not want competitors to know who is backing them, and an investor may not want others to know where their money is going. This particular attack likely stole key information on a hush-hush part of how venture money works.

ATV said it notified the FBI about the attack. A spokesperson for the FBI did not immediately comment when reached by TechCrunch. ATV’s managing director Mike Carusi did not respond to questions sent by TechCrunch on Monday.

The venture capital firm, based in Menlo Park, California with offices in Boston, was founded in 1979 and invests largely in technology, communications, software and services, and healthcare technology. The company was an early investor in many of the startups from the last decade, like software library Fandango, Host Analytics (now Planfun) and Apptegic (now Evergage). Its more recent investments include Tripwire, which was later sold to cybersecurity company Belden for $710 million; Cedexis, a network traffic monitoring startup acquired by Cisco in 2018; and Actifo, which was sold to Google in 2020.


Natasha Mascarenhas contributed reporting. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send TechCrunch files or documents using our SecureDrop.

#attorney-general, #atv, #boston, #california, #cedexis, #cisco, #cybercrime, #encryption, #fandango, #federal-bureau-of-investigation, #google, #healthcare-technology, #maine, #private-equity, #ransomware, #securedrop, #security, #signal, #software, #spokesperson, #venture-capital

Biden warns cyber attacks could lead to a “real shooting war”

Men in suits and uniforms sit on one side of a long, curved table.

Enlarge / US President Joe Biden, NATO Secretary General Jens Stoltenberg and Belgian Prime Minister Alexander De Croo attend a plenary session of a NATO summit at the North Atlantic Treaty Organization (NATO) headquarters in Brussels, on June 14, 2021. (credit: Laurie Dieffembacq | Getty Images)

President Joe Biden has warned that cyberattacks could escalate into a full-blown war as tensions with Russia and China mounted over a series of hacking incidents targeting US government agencies, companies, and infrastructure.

Biden said on Tuesday that cyber threats including ransomware attacks “increasingly are able to cause damage and disruption in the real world.”

“If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach,” the president said in a speech at the Office for the Director of National Intelligence, which oversees 18 US intelligence agencies.

Read 12 remaining paragraphs | Comments

#biz-it, #china, #cyberwarfare, #policy, #ransomware, #russia, #usa

Haron and BlackMatter are the latest groups to crash the ransomware party

Haron and BlackMatter are the latest groups to crash the ransomware party

Enlarge (credit: Getty Images)

July has so far ushered in at least two new ransomware groups. Or maybe they’re old ones undergoing a rebranding. Researchers are in the process of running down several different theories.

Both groups say they are aiming for big-game targets, meaning corporations or other large businesses with the pockets to pay ransoms in the millions of dollars. The additions come as recent ransomware intrusions of oil pipeline operator Colonial Pipeline, meat packer JBS SA, and managed network provider Kaseya have caused major disruptions and created pressure in Washington to curb the threats.

Haron: like Avaddon. Or maybe not

The first group is calling itself Haron. A sample of the Haron malware was first submitted to VirusTotal on July 19. Three days later, South Korean security firm S2W Lab discussed the group in a post.

Read 10 remaining paragraphs | Comments

#avaddon, #biz-it, #blackmatter, #darkside, #haron, #ransomware, #revil, #tech

Kaseya gets master decryptor to help customers still suffering from REvil attack

Close-up of an armored door key.

Enlarge (credit: Getty Images)

Kaseya—the remote management software seller at the center of a ransomware operation that struck as many as 1,500 downstream networks—said it has obtained a decryptor that should successfully restore data encrypted during the Fourth of July weekend attack.

Affiliates of REvil, one of the Internet’s most cutthroat ransomware groups, exploited a critical zero-day vulnerability in Miami, Florida-based Kaseya’s VSA remote management product. The vulnerability—which Kaseya was days away from patching—allowed the ransomware operators to compromise the networks of about 60 customers. From there, the extortionists infected as many as 1,500 networks that relied on the 60 customers for services.

Finally, a universal decryptor

“We obtained the decryptor yesterday from a trusted third party and have been using it successfully on affected customers,” Dana Liedholm, senior VP of corporate marketing, wrote in an email on Thursday morning. “We are providing tech support to use the decryptor. We have a team reaching out to our customers, and I don’t have more detail right now.”

Read 8 remaining paragraphs | Comments

#biz-it, #decryptor, #kaseya, #ransomware, #revil, #tech

Saudi Aramco confirms data leak after $50 million cyber ransom demand

The Hawiyah Natural Gas Liquids Recovery Plant, operated by Saudi Aramco, in Hawiyah, Saudi Arabia, on Monday, June 28, 2021.

Enlarge / The Hawiyah Natural Gas Liquids Recovery Plant, operated by Saudi Aramco, in Hawiyah, Saudi Arabia, on Monday, June 28, 2021. (credit: Bloomberg | Getty Images)

Saudi Aramco, the world’s largest oil producer, confirmed on Wednesday that some of its company files had been leaked via a contractor, after a cyber extortionist claimed to have seized troves of its data last month and demanded a $50 million ransom from the company.

Aramco said in a statement that it had “recently become aware of the indirect release of a limited amount of company data which was held by third-party contractors.” The oil company did not name the supplier or explain how the data were compromised.

“We confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cyber security posture,” Aramco added.

Read 13 remaining paragraphs | Comments

#biz-it, #cybercrime, #infrastructure, #ransomware

DNSFilter secures $30M Series A to step up fight against DNS-based threats

DNSFilter, an artificial intelligence startup that provides DNS protection to enterprises, has secured $30 million in Series A funding from Insight Partners.

DNSFilter, as its name suggests, offers DNS-based web content filtering and threat protection. Unlike the majority of its competitors, which includes the likes of Palo Alto Networks and Webroot, the startup uses proprietary AI technology to continuously scan billions of domains daily, identifying anomalies and potential vectors for malware, ransomware, phishing, and fraud. 

“Most of our competitors either rent or lease a database from some third party,” Ken Carnesi, co-founder and CEO of DNSFilter tells TechCrunch. “We do that in-house, and it’s through artificial intelligence that’s scanning these pages in real-time.” 

The company, which counts the likes of Lenovo, Newegg, and Nvidia among its 14,000 customers, claims this industry-first technology catches threats an average of five days before competitors and is capable of identifying 76% of domain-based threats. By the end of 2021, DNSFilter says it will block more than 1.1 million threats daily.

DNSFilter has seen rapid growth over the past 12 months as a result of the mass shift to remote working and the increase in cyber threats and ransomware attacks that followed. The startup saw eightfold growth in customer activity, doubled its global headcount to just over 50 employees, and partnered with Canadian software house N-Able to push into the lucrative channel market.  

“DNSFilter’s rapid growth and efficient customer acquisition are a testament to the benefits and ease of use compared to incumbents,” Thomas Krane, principal at Insight Partners, who has been appointed as a director on DNSFilter’s board. “The traditional model of top-down, hardware-centric network security is disappearing in favor of solutions that readily plug in at the device level and can cater to highly distributed workforces”

Prior to this latest funding round, which was also backed by Arthur Ventures (the lead investor in DNSFilter’s seed round), CrowdStrike co-founder and former chief technology officer  Dmitri Alperovitch also joined DNSFilter’s board of directors. 

Carnesi said the addition of Alperovitch to the board will help the company get its technology into the hands of enterprise customers. “He’s helping us to shape the product to be a good fit for enterprise organizations, which is something that we’re doing as part of this round — shifting focus to be primarily mid-market and enterprise,” he said.

The company also recently added former CrowdStrike vice president Jen Ayers as its chief operating officer. “She used to manage their entire managed threat hunting team, so she’s definitely coming on for the security side of things as we build out our domain intelligence team further,” Carnesi said.

With its newly-raised funds, DNSFilter will further expand its headcount, with plans to add more than 80 new employees globally over the next 12 months.

“There’s a lot more that we can do for security via DNS, and we haven’t really started on that yet,” Carnesi said. “We plan to do things that people won’t believe were possible via DNS.”

The company, which acquired Web Shrinker in 2018, also expects there to be more acquisitions on the cards going forward. “There are some potential companies that we’d be looking to acquire to speed up our advancement in certain areas,” Carnesi said.

#arthur-ventures, #artificial-intelligence, #co-founder, #computing, #coo, #crowdstrike, #cto, #cyberwarfare, #director, #dns, #funding, #information-technology, #insight-partners, #lenovo, #newegg, #nvidia, #palo-alto-networks, #ransomware, #security, #startup-company, #techcrunch, #vp, #webroot

Microsoft confirms it’s buying cybersecurity startup RiskIQ

Microsoft has confirmed it’s buying RiskIQ, a San Francisco-based cybersecurity company that provides threat intelligence and cloud-based software as a service for organizations.

Terms of the deal, which will see RiskIQ’s threat intelligence services integrated into Microsoft’s flagship security offerings, were not disclosed, although Bloomberg previously reported that Microsoft will pay more than $500 million in cash for the company. Microsoft declined to confirm the reported figure.

The announcement comes amid a heightened security landscape as organizations shift to remote and hybrid working strategies.

RiskIQ scours the web, mapping out details about websites and networks, domain name records, certificates and other information, like WHOIS registration data, providing customers visibility into what assets, devices and services can be accessed outside of a company’s firewall. That helps companies lock down their assets and limit their attack surface from malicious actors. It’s that data in large part that helped the company discover and understand Magecart, a collection of groups that inject credit card stealing malware into vulnerable websites.

Microsoft says that by embedding RiskIQ’s technologies into its core products, its customers will be able to build a more comprehensive view of the global threats to their businesses as workforces continue to work outside of the traditional office environment.

The deal will also help organizations to keep an eye on supply-chain risks, Microsoft says. This is likely a growing priority for many: an attack on software provider SolarWinds last year saw affected at least 18,000 of its customers, and just this month IT vendor Kaseya fell victim to a ransomware attack that spread to more than 1,000 downstream businesses.

Eric Doerr, vice president of cloud security at Microsoft, said: “RiskIQ helps customers discover and assess the security of their entire enterprise attack surface — in the Microsoft cloud, AWS, other clouds, on-premises, and from their supply chain. With more than a decade of experience scanning and analyzing the internet, RiskIQ can help enterprises identify and remediate vulnerable assets before an attacker can capitalize on them.”

RiskIQ was founded in 2009 and has raised a total of $83 million over four rounds of funding. Elias Manousos, who co-founded RiskIQ and serves as its chief executive, said he was “thrilled” at the acquisition.

“The vision and mission of RiskIQ is to provide unmatched internet visibility and insights to better protect and inform our customers and partners’ security programs,” said Manousos. “Our combined capabilities will enable best-in-class protection, investigations, and response against today’s threats.”

The acquisition is one of many Microsoft has made recently in the cybersecurity space in recent months. The software giant last year bought Israeli security startup CyberX in a bid to boost its Azure IoT business, and just last month it acquired Internet of Things security firm ReFirm Labs.

#aws, #azure-iot, #cloud-based-software, #cloud-computing, #computer-security, #computing, #cyberx, #kaseya, #microsoft, #ransomware, #riskiq, #san-francisco, #security, #software, #solarwinds, #supply-chain, #technology, #vulnerability

This crowdsourced payments tracker wants to solve the ransomware visibility problem

Ransomware attacks, fueled by COVID-19 pandemic turbulence, have become a major money earner for cybercriminals, with the number of attacks rising in 2020.

These file-encrypting attacks have continued largely unabated this year, too. In the last few months alone we’ve witnessed the attack on Colonial Pipeline that forced the company to shut down its systems — and the gasoline supply — to much of the eastern seaboard, the hack on meat supplier JBS that abruptly halted its slaughterhouse operations around the world, and just this month a supply chain attack on IT vendor Kaseya that saw hundreds of downstream victims locked out of their systems.

However, while ransomware attacks continue to make headlines, it’s near-impossible to understand their full impact, nor is it known whether taking certain decisions — such as paying the cybercriminals’ ransom demands — make a difference.

Jack Cable, a security architect at Krebs Stamos Group who previously worked for the U.S. Cybersecurity and Infrastructure Agency (CISA), is looking to solve that problem with the launch of a crowdsourced ransom payments tracking website, Ransomwhere. 

“I was inspired to start Ransomwhere by Katie Nickels’s tweet that no one really knows the full impact of cybercrime, and especially ransomware,” Cable told TechCrunch. “After seeing that there’s currently no single place for public data on ransomware payments, and given that it’s not hard to track bitcoin transactions, I started hacking it together.”

The website keeps a running tally of ransoms paid out to cybercriminals in bitcoin, made possible thanks to the public record-keeping of transactions on the blockchain. As the site is crowdsourced, it incorporates data from self-reported incidents of ransomware attacks, which anyone can submit. However, in order to make sure all reports are legitimate, each submission is required to take a screenshot of the ransomware payment demand, and every case is reviewed manually by Cable himself before being made publicly available. If an approved report’s authenticity is later called into question, it will be removed from the database.

The already-burgeoning database, which doesn’t include any personal or victim-identifying information, is available as a free download for the cybersecurity community and law enforcement officials, which Cable hopes will help give some much-needed public transparency about the current state of the problem.

“As we consider policy proposals to change the state of ransomware economics, we will need data to assess whether these actions are successful,” Cable said. “For law enforcement, as we saw with the Colonial Pipeline hack, law enforcement does have the ability to recover some payments, so it would be great if this can further aid their efforts.”

At the time of writing, the site is tracking a total of more than $32 million in ransom payments for 2021. The bulk of these payments have been made to the REvil, the Russia-linked ransomware gang that took credit for the JBS and Kaseya hacks. The group has racked up more than $11 million in ransom payments this year, according to Ransomwhere, an amount that could increase dramatically if its recent demands for $70 million as part of the Kaseya attack are met. 

Netwalker, one of the most popular ransomware-as-a-service offerings on the dark web, comes in second with more than $6.3 million in payments for 2021, though Ransomwhere’s tally shows that the group has racked up the most ransom payments in total, with roughly $28 million to its name based on the site’s data.

RangarLocker, DarkSide, and Egregor round out Ransomwhere’s top five list — for now at least — having amassed sums of $4.6 million, $4.4 million, and $3.2 million, respectively. 

Cable says that going forward, he’s exploring ways of partnering with companies in the security and blockchain analysis spaces in order to integrate data that they already have on ransomware actions. He’s also looking at ways to support other traceable cryptocurrencies, such as Ethereum, as well as at the potential to track downstream bitcoin addresses. 

“It’ll never be possible to get the full picture — criminals who are using Monero will be near-impossible to track”, Cable says. “But I would like to get as complete of a picture as possible.”

Read more:

#colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #dark-web, #fujifilm, #kaseya, #monero, #ransomware, #security

Kaseya hack floods hundreds of companies with ransomware

On Friday, a flood of ransomware hit hundreds of companies around the world. A grocery store chain, a public broadcaster, schools, and a national railway system were all hit by the file-encrypting malware, causing disruption and forcing hundreds of businesses to close.

The victims had something in common: a key piece of network management and remote control software developed by U.S. technology firm Kaseya. The Miami-headquartered company makes software used to remotely manage a company’s IT networks and devices. That software is sold to managed service providers — effectively outsourced IT departments — which they then use to manage the networks of their customers, often smaller companies.

But hackers associated with the Russia-linked REvil ransomware-as-a-service group are believed to have used a never-before-seen security vulnerability in the software’s update mechanism to push ransomware to Kaseya’s customers, which in turn spread downstream to their customers. Many of the companies who were ultimately victims of the attack may not have known that their networks were monitored by Kaseya’s software.

Kaseya warned customers on Friday to “IMMEDIATELY” shut down their on-premise servers, and its cloud service — though not believed to be affected — was pulled offline as a precaution.

“[Kaseya] showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint.” Security researcher Victor Gevers

John Hammond, senior security researcher at Huntress Labs, a threat detection firm that was one of the first to reveal the attack, said about 30 managed service providers were hit allowing the ransomware to spread to “well over” 1,000 businesses.” Security firm ESET said it knows of victims in 17 countries, including the U.K., South Africa, Canada, New Zealand, Kenya, and Indonesia.

Now it’s becoming clearer just how the hackers pulled off one of the biggest ransomware attacks in recent history.

Dutch researchers said they found several zero-day vulnerabilities Kaseya’s software as part of an investigation into the security of web-based administrator tools. (Zero-days are named as such since it gives companies zero days to fix the problem.) The bugs were reported to Kaseya and were in the process of being fixed when the hackers struck, said Victor Gevers, who heads the group of researchers, in a blog post.

Kaseya’s chief executive Fred Voccola told The Wall Street Journal that its corporate systems were not compromised, lending greater credence to the working theory by security researchers that servers run by Kaseya’s customers were compromised individually using a common vulnerability.

The company said that all servers running the affected software should stay offline until the patch is ready. Voccola told the paper that it expects patches to be released by late Monday.

The attack began late Friday afternoon, just as millions of Americans were logging off into the long July 4 weekend. Adam Meyers, CrowdStrike’s senior vice president of intelligence, said the attack was carefully timed.

“Make no mistake, the timing and target of this attack are no coincidence. It illustrates what we define as a Big Game Hunting attack, launched against a target to maximize impact and profit through a supply chain during a holiday weekend when business defenses are down,” said Meyers.

A notice posted over the weekend on a dark web site known to be run by REvil claimed responsibility for the attack, and that the ransomware group publicly release a decryption tool if it is paid $70 million in bitcoin.

“More than a million systems were infected,” the group claims in the post.

#computer-security, #crime, #crimes, #crowdstrike, #cybercrime, #kaseya, #kenya, #miami, #network-management, #new-zealand, #ransomware, #security, #south-africa, #technology, #the-wall-street-journal, #united-kingdom, #united-states

Clop ransomware gang doxes two new victims days after police raids

The notorious Clop ransomware operation appears to be back in business, just days after Ukrainian police arrested six alleged members of the gang.

Last week, a law enforcement operation conducted by the National Police of Ukraine along with officials from South Korea and the U.S. saw the arrest of multiple suspects believed to be linked to the Clop ransomware gang. It’s believed to be the first time a national law enforcement group carried out mass arrests involving a ransomware group.

The Ukrainian police also claimed at the time to have successfully shut down the server infrastructure used by the gang. But it doesn’t seem the operation was completely successful.

While the Clop operation fell silent following the arrests, the gang has this week published a fresh batch of confidential data which it claims to have stolen from two new victims — a farm equipment retailer and an architects office — on its dark web site, seen by TechCrunch.

If true — and neither of the alleged victims responded to TechCrunch’s request for comment — this would suggest that the ransomware gang remains active, despite last week’s first-of-its-kind law enforcement sting. This is likely because the suspects cuffed included only those who played a lesser role in the Clop operation. Cybersecurity firm Intel 471 said it believes that last week’s arrests targeted the money laundering portion of the operation, with core members of the gang not apprehended.

“We do not believe that any core actors behind Clop were apprehended,” the security company said. “The overall impact to Clop is expected to be minor although this law enforcement attention may result in the Clop brand getting abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk.”

Clop appears to still be in business, but it remains to be seen how long the group will remain operational. Not only have law enforcement operations dealt numerous blows to ransomware groups this year, such as U.S. investigators’ recent recovery of millions in cryptocurrency they claim was paid in ransom to the Colonial Pipeline hackers, but Russia has this week confirmed it will begin to work with the U.S. to locate cybercriminals.

Russia has until now taken a hands-off approach when it comes to dealing with hackers. Reuters reported Wednesday that the head of the country’s Federal Security Service (FSB) Alexander Bortnikov was quoted as saying it will co-operate with U.S. authorities on future cybersecurity operations.

Intel 471 previously said that it does not believe the key members of Clop were arrested in last week’s operation because “they are probably living in Russia,” which has long provided safe harbor to cybercriminals by refusing to take action.

The Clop ransomware gang was first spotted in early 2019, and the group has since been linked to a number of high-profile attacks. These include the breach of U.S. pharmaceutical giant ExecuPharm in April 2020 and the recent data breach at Accellion, which saw hackers exploit flaws in the IT provider’s software to steal data from dozens of its customers including the University of Colorado and cloud security vendor Qualys.

#accellion, #chief, #colorado, #computer-security, #crime, #cyberattack, #cybercrime, #head, #intel, #law-enforcement, #moscow, #qualys, #ransomware, #russia, #security, #security-breaches, #south-korea, #united-states

A week after arrests, Cl0p ransomware group dumps new tranche of stolen data

A week after arrests, Cl0p ransomware group dumps new tranche of stolen data

Enlarge (credit: Getty Images)

A week after Ukrainian police arrested criminals affiliated with the notorious Cl0p ransomware gang, Cl0p has published a fresh batch of what’s purported to be confidential data stolen in a hack of a previously unknown victim. Ars won’t be identifying the possibly victimized company until there is confirmation that the data and the hack are genuine.

If genuine, the dump shows that Cl0p remains intact and able to carry out its nefarious actions despite the arrests. That suggests that the suspects don’t include the core leaders but rather affiliates or others who play a lesser role in the operations.

The data purports to be employee records, including verification of employment for loan applications and documents pertaining to workers whose wages have been garnished. I was unable to confirm that the information is genuine and that it was, in fact, taken during a hack on the company, although web searches showed that names listed in the documents matched names of people who work for the company.

Read 8 remaining paragraphs | Comments

#biz-it, #cl0p, #law-enforcement, #ransomware, #security, #tech

Monero emerges as crypto of choice for cybercriminals

Monero emerges as crypto of choice for cybercriminals

Enlarge (credit: 53 Studios | Getty Images)

For cybercriminals looking to launder illicit gains, bitcoin has long been the payment method of choice. But another cryptocurrency is coming to the fore, promising to help make dirty money disappear without a trace.

While bitcoin leaves a visible trail of transactions on its underlying blockchain, the niche “privacy coin” monero was designed to obscure the sender and receiver, as well as the amount exchanged.

As a result, it has become an increasingly sought-after tool for criminals such as ransomware gangs, posing new problems for law enforcement.

Read 22 remaining paragraphs | Comments

#bitcoin, #biz-it, #cryptocurrency, #monero, #organized-crim, #policy, #ransomware

Ukraine arrests ransomware gang in global cybercriminal crackdown

A chainlink fence separates us from fossil fuel tanks.

Enlarge / A Colonial Pipeline facility in Woodbridge, New Jersey. Hackers last month disrupted the pipeline supplying petroleum to much of the East Coast. (credit: Michael M. Santiago, Getty Images)

Ukrainian police have arrested members of a notorious ransomware gang that recently targeted American universities, as pressure mounts on global law enforcement to crack down on cybercriminals.

The Ukraine National Police said in a statement on Wednesday that it had worked with Interpol and the US and South Korean authorities to charge six members of the Ukraine-based Cl0p hacker group, which it claimed had inflicted a half-billion dollars in damages on victims based in the US and South Korea.

The move marks the first time that a national law enforcement agency has carried out mass arrests of a ransomware gang, adding to pressure on other countries to follow suit. Russia, a hub for ransomware gangs, has been blamed for harbouring cybercriminals by failing to prosecute or extradite them.

Read 9 remaining paragraphs | Comments

#biz-it, #cl0p, #cybercrime, #policy, #ransomware, #ukraine

Ukrainian police arrest multiple Clop ransomware gang suspects

Multiple suspects believed to be linked to the Clop ransomware gang have been detained in Ukraine after a joint operation from law enforcement agencies in Ukraine, South Korea, and the United States.

The Cyber Police Department of the National Police of Ukraine confirmed that six arrests were made after searches at 21 residences in the capital Kyiv and nearby regions. While it’s unclear whether the defendants are affiliates or core developers of the ransomware operation, they are accused of running a “double extortion” scheme, in which victims who refuse to pay the ransom are threatened with the leak of data stolen from their networks prior to their files being encrypted.

“It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement.

The police also seized equipment from the alleged Clop ransomware gang, said to behind total financial damages of about $500 million. This includes computer equipment, several cars — including a Tesla and Mercedes, and 5 million Ukrainian Hryvnia (around $185,000) in cash. The authorities also claim to have successfully shut down the server infrastructure used by the gang members to launch previous attacks.

“Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added.

These attacks first began in February 2019, when the group attacked four Korean companies and encrypted 810 internal services and personal computers. Since, Clop — often styled as “Cl0p” — has been linked to a number of high-profile ransomware attacks. These include the breach of U.S. pharmaceutical giant ExecuPharm in April 2020 and the attack on South Korean e-commerce giant E-Land in November that forced the retailer to close almost half of its stores.

Clop is also linked to the ransomware attack and data breach at Accellion, which saw hackers exploit flaws in the IT provider’s File Transfer Appliance (FTA) software to steal data from dozens of its customers. Victims of this breach include Singaporean telecom Singtel, law firm Jones Day, grocery store chain Kroger, and cybersecurity firm Qualys.

At the time of writing, the dark web portal that Clop uses to share stolen data is still up and running, although it hasn’t been updated for several weeks. However, law enforcement typically replaces the targets’ website with their own logo in the event of a successful takedown, which suggests that members of the gang could still be active.

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. “The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation.”

Hultquist said the efforts of the Ukrainian police “are a reminder that the country is a strong partner for the U.S. in the fight against cybercrime and authorities there are making the effort to deny criminals a safe harbor.”

The alleged perpetrators face up to eight years in prison on charges of unauthorized interference in the work of computers, automated systems, computer networks, or telecommunications networks and laundering property obtained by criminal means.

News of the arrests comes as international law enforcement turns up the heat on ransomware gangs. Last week, the U.S. Department of Justice announced that it had seized most of the ransom paid to members of DarkSide by Colonial Pipeline.

#aerospace, #colonial-pipeline, #crime, #cybercrime, #e-commerce, #extortion, #government, #kroger, #law, #law-enforcement, #malware, #mandiant, #oil-and-gas, #pharmaceuticals, #qualys, #ransomware, #security, #security-breaches, #singtel, #south-korea, #telecommunications, #tesla, #ukraine, #united-states

CD Project Red does an about-face, says ransomware crooks are leaking data

A stylized ransom note asks for bitcoin in exchange for stolen data.

Enlarge (credit: Aurich Lawson)

CD Projekt Red, the maker of The Witcher series, Cyberpunk 2077, and other popular games, said on Friday that proprietary data taken in a ransomware attack disclosed four months ago is likely circulating online.

“Today, we have learned new information regarding the breach and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the Internet,” company officials said in a statement. “We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games.”

An about-face

The update represents an about-face of sorts, as it warns that the information of current and former employees and contractors is now believed to be among the compromised data. When The Poland-based game maker disclosed the attack in February, it said it didn’t believe the stolen data included personal information for employees or customers.

Read 6 remaining paragraphs | Comments

#biz-it, #cd-projekt-red, #personal-information, #ransomware, #tech

EA source code stolen by hacker claiming to sell it online

EA source code stolen by hacker claiming to sell it online

Enlarge (credit: Getty Images)

Game-maker Electronic Arts and the Presque Isle Police Department in Maine are responding to an event they had both been dreading: the theft of gigabytes of private data by hackers who breached their Internet-connected networks.

In EA’s case, the theft included 780GB of source code and tools for FIFA 21, according to a post published earlier this week on an underground crime forum. The person who published the post, with the username Leakbook, was offering to sell the data.

“You have full capability of exploiting on all EA services,” the person wrote.

Read 6 remaining paragraphs | Comments

#biz-it, #data-breaches, #electronic-arts, #ransomware, #tech

Are we overestimating the ransomware threat?

On Monday afternoon, the U.S. Justice Department said it has seized much of the cryptocurrency ransom that  U.S. pipeline operator Colonial Pipeline paid last month to a Russian hacking collective called DarkSide by tracking the payment the as it moved through different accounts belonging to the hacking group and finally breaking into one of those accounts with the blessing of a federal judge.

It’s a feel-good twist to a saga that began with a cyberattack on Colonial and resulted in a fuel shortage made worse by the panic-purchasing of gasoline last month after Colonial shut down one of its major pipelines (and later suffered a second pipeline shutdown owing to what it described as an overworked internal server). But Christopher Alhberg, a successful serial entrepreneur and the founder of Recorded Future, a security intelligence company that tracks threats to the government and corporations and runs its own media arm, suggests that Americans have overestimated DarkSide all along. He explained a lot about the way its operations work last week in an interview that you can hear here. Shorter excerpts from that conversation follow, edited lightly for length.

TC: Broadly, how does your tech work?

CA: What we do is try to index the internet. We try to get in the way of data from everything that’s written on the internet, down to the electrons moving, and we try and index that in a way that it can be used for for people who are defending companies and defending organizations. . .  We try to get into the heads of the bad guys, get to the where the bad guys hang out, and understand that side of the equation. We try to understand what happens on the networks where the bad guys operate, where they execute their stuff, where they basically transmit data, where they run the illicit infrastructure — all of those things. And we also try to get in the way of the traces that the bad guys leave behind, which could be in all kinds of different interesting places.

TC: Who are your customers?

CA: We have about 1,000 of them in total, and they range from the Department of Defense to some of the largest companies in the world. Probably a third of our business is [with the] government, one third of our businesses are in the financial sector, then the rest [comprise] a whole set of verticals, including transportation, which has been big.

TC: You’re helping them predict attacks or understand what happened in cases where it’s too late?

CA: It can go both ways.

TC: What are some of the clues that inform your work?

CA: One is understanding the adversary, the bad guys, and they largely fall in two buckets: You’ve got cyber criminals, and you’ve got adversary intelligence agencies.

The criminals over the last month or two here that the world and us, too, have been focused on are these ransomware gangs. So these are Russian gangs, and when you hear ‘gang,’ people tend to think about large groups of people [but] it’s typically a guy or two or three. So I wouldn’t over estimate the size of these gangs.

[On the other hand] intelligence agencies can be very both well-equipped and [involve] large sets of people. So one piece is about tracking them. Another piece is about tracking the networks that they operate on . . Finally, [our work involves] understanding the targets, where we get data on the potential targets of a cyber attack without having access to the actual systems on premises, then tying the three buckets together in an automated fashion.

TC: Do you see a lot of cross pollination between intelligence agencies and some of these Russian cutouts?

CA: The short answer is these groups are not, in our view, being tasked on a daily or monthly or maybe even yearly basis by Russian intelligence. But in a series of countries around the world — Russia, Iran, North Korea is a little bit different, to some degree in China — what we’ve seen is that government has encouraged a growing hacker population that’s been able, in an unchecked way, to be able to pursue their interest — in Russia, largely — in cyber crime. Then over time, you see intelligence agencies in Russia — FSB, SVR and GRU —  being able to poach people out of these groups or actually task them. You can find in official documents how these guys have mixed and matched over a long period of time.

TC: What did you think when DarkSide came out soon after the cyberattack and said it could no longer access its Bitcoin or payment server and that it was shutting down?

CA: If you did this hack, you probably had zero idea what Colonial Pipeline actually was when you did it. You’re like, ‘Oh, shit, I’m all over the American newspapers.’ And there are probably a couple of phone calls starting to happen in Russia, where basically, again, ‘What the hell did you just do? How are you going to try to cover that up?’

One of the simplest first things you’re going to do is to basically say either, ‘It wasn’t me’ or you’re going to try to say, ‘We lost the money; we lost access to our servers.’ So I think that was probably fake that whole thing [and that] what they were doing was just to try to cover their tracks, [given that] we found them later come back and try to do other things. I think we overestimated the ability of the U.S. government to come rapidly right back at these guys. That will just not happen that fast, though this is pure conjuring. I’m not saying that with access to any inside government information or anything of the sort.

TC: I was just reading that DarkSide operates like a franchise where individual hackers can come and receive software and use it like a turnkey process. Is that new and does that mean that it opens up hacking to a much broader pool of people?

CA:  That’s right. One of the beauties of the Russian hacker underground is in its distributed nature. I’m saying ‘beauty’ with a little bit of sarcasm, but some people will write the actual ransomware. Some will use the services that these guys provide and then be the guys who might do the hacking to get into the systems. Some other guys might be the ones who operate the Bitcoin transactions through the Bitcoin tumbling that gets needed . . . One of the interesting points is that to get the cash out in the end game, these guys need to go through one of these exchanges that ended up being more civilized businesses, and there might be money mules involved, and there are people who run the money mules. A lot of these guys do credit card fraud; there’s a whole set of services there, too, including testing if a card is alive and being able to figure out how you get money out of it. There are probably 10, 15, maybe  20 different types of services involved in this. And they’re all very highly specialized, which is very much why these guys have been able to be so successful and also why it’s hard to go at it.

TC: Do they share the spoils and if so, how?

CA: They do. These guys run pretty effective systems here. Obviously, Bitcoin has been an incredible enabler in this because there is a way to do payments [but] these guys have whole systems for ranking and rating of themselves much like an eBay seller. There’s a whole set of these underground forums that have historically has been the places that these guys have been operating and they’ll including include services there for being able to say that somebody is a scammer [meaning in relation to the] thieves who are among the cyber criminals. It’s much like the internet. Why does the internet work so well? Because it’s super distributed.

TC: What’s your advice to those who aren’t your customers but want to defend themselves?

CA: A colleague produced a pie chart to show what industries are being hit by ransomware and what’s amazing is that it was just super distributed across 20 different industries. With Colonial Pipeline, a lot of people were like, ‘Oh, they’re coming from the oil.’ But these guys could care less. They just want to find the slowest moving target. So make sure you’re not the easiest target.

The good news is that there are plenty of companies out there doing the basics and making sure that your systems are patched [but also] hit that damn update button. Get as much of your stuff off the internet so that it’s not facing out. Keep as little surface area as you can to the outside world. Use good passwords, use multiple two-factor authentication on everything and anything that you can get your hands on.

There’s a checklist of 10 things that you’ve got to do in order to not be that easy target. Now, for some of these guys — the really sophisticated gangs — that’s not enough. You’ve got to do more work, but the basics will make a big difference here.

#christopher-alhberg, #colonial-pipeline, #cryptocurrency, #fbi, #ransomware, #recorded-future, #tc