ransomware

Ransomware is a global problem that needs a global solution • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in hackers, ransomware, SecurityNo Comments

This time last year, we were optimistic. It seemed like the tide was turning on ransomware after the U.S. government scored a handful of wins against the cybercriminals carrying out these increasingly damaging attacks: the Justice Department successfully seized $2.3 million in bitcoin that Colonial Pipeline paid to the DarkSide ransomware gang to reclaim its data, and months later it played a part in bringing down the notorious REvil ransomware gang. Our optimism was short-lived. Despite this action, 2022 looks set to top last year as the worst year on record for ransomware attacks; a recent report shows that attacks have increased by 80% year-over-year and that the cybercriminals responsible for these attacks have easily dodged low enforcement action by taking advantage of ransomware as a service, or by simply rebranding. “It’s clear that ransomware attacks are on the rise,” Matthew Prince, CEO of Cloudflare, tells ZebethMedia. “In September 2022, nearly one in every four respondents to our customer survey reported receiving a ransomware attack or threat, the highest month so far of 2022.” 2022 hasn’t just been the worst year for ransomware attacks statistically, it has also just been… the worst. While hackers last year focused on critical infrastructure and financial services, this year’s focus has been on organizations where they can inflict the most damage. An attack on the Los Angeles Unified School District saw Vice Society hackers leak a 500 gigabyte trove of sensitive data, including previous conviction reports and psychological assessments of students, while an attack on IT services provider Advanced left the U.K’s NHS scrambling after it was forced to cancel appointments and staff relying on taking notes with pen and paper. Perhaps the most devastating attack of 2022 came just weeks ago after attackers breached Australian health insurance giant Medibank and accessed roughly 9.7 million customers’ personal details and health claims data for almost half-a-million customers. Data stolen during the attack included sensitive files related to abortions and alcohol-related illnesses. These attacks don’t just demonstrate that ransomware is worsening. They also show that ransomware is a global problem and that global action is needed to fight back successfully. Earlier in November, the U.S. government started to take strides in the right direction, announcing that it will establish an International Counter Ransomware Task Force, or ICRTF, to promote information and capability sharing. “This is a global issue, so governments need to come together,” Camellia Chan, CEO and founder at cybersecurity firm X-PHY tells ZebethMedia. “That said, collaboration alone won’t provide a solution. It’s more than signing an agreement.” This is a viewpoint shared among the cybersecurity community: signing agreements and sharing intelligence is all well and good, but it’s unlikely to deter financially motivated cybercriminals that continue to reap the rewards of these attacks. To gain ground on cybercriminals that continue to achieve a high rate of success, governments need a fresh approach. Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021. The US government declared a regional emergency on May 9, 2021 as the largest U.S. fuel pipeline system remained largely shut down, two days after a ransomware attack. Image Credits: Jim Watson / AFP via Getty Images. “You can’t arrest your way out of the problem,” Morgan Wright, chief security advisor at SentinelOne, tells ZebethMedia. “There are numerous examples of both transnational criminal ransomware actors and nation-state actors being identified and indicted for various crimes. These offenders almost always live in countries with no extradition treaty with the country that has issued the indictments.” “One area I would like to see an increased effort is in the area of human collection of intelligence,” Wright added. “We need more penetration of state actors and criminal organizations. Too often, ransomware is viewed as a technical issue. It’s not. It’s human greed that uses technology to achieve an end goal.” This element of greed could also be targeted by increasing regulation of the cryptocurrency market, which many believe could be on the horizon following the recent collapse of FTX. Former CISA assistant director Bob Kolasky said that in order to discourage ransomware actors for good, governments need to reduce the financial instruments available for them to use. “This includes using regulatory pressure on the cryptocurrency market to make tracking and recouping ransomware payments easier,” Kolasky tells ZebethMedia, a view shared by others. “We need governments to take a bigger role in blocking cryptocurrencies, which is the enabler of attacker monetization strategies,” David Warburton, director of networking company F5 Labs, agrees, telling ZebethMedia: “While decentralized currencies, such as bitcoin, aren’t inherently bad, nor solely responsible for the ransomware epidemic we’re facing, there’s no denying they are a huge factor. “While control and regulation somewhat defeat the original intent of decentralized currencies, there’s no escaping the fact that without Bitcoin, ransomware simply wouldn’t exist,” said Warburton. But legislation wouldn’t work unless it’s a global effort, he said: “Many ransomware groups operate from countries which have no motivation to help those that are being targeted.” This is a problem that, like ransomware itself, has been worsened by Russia’s invasion of Ukraine, which has ended any cooperation between Europe, the U.S. and Russia on ransomware operations inside Russia. Jason Steer, chief information security officer at threat intelligence giant Recorded Future, said that this is an area that immediately needs more global government support. “The focus has significantly dropped off in 2022 due to Russia’s activities, where in fact many groups operate safely from,” said Steer. Even if governments joined forces to collaboratively fight the growing ransomware problem, it’s unlikely to have any immediate effect. Security experts expert no respite from ransomware as we enter 2023 as increasingly-savvy hackers exploit new attack vectors and continue to reap the financial rewards. “There are governments that are working to provide more support and resources. But it will never be enough,” says Wright. “Bad actors will always have the advantage, but we should make them pay in a significant way every time an attack is launched.”

Hive ransomware actors have extorted over $100M from victims, says FBI • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in hive, ransomware, Security, us governmentNo Comments

The U.S. government has warned of ongoing malicious activity by the notorious Hive ransomware gang, which has extorted more than $100 million from its growing list of victims. A joint advisory released by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services on Thursday revealed that the Hive ransomware gang has received upwards of $100 million in ransom payments from over 1,300 victims since the gang was first observed in June 2021. This list of victims includes organizations from a wide range of industries and critical infrastructure sectors such as government facilities, communications, and information technology, with a focus on specifically healthcare and public health entities. Hive, which operates a ransomware-as-a-service (RaaS) model, claimed the Illinois-based Memorial Health System as its first healthcare victim in August 2021. This cyberattack forced the health system to divert care for emergency patients and cancel urgent care surgeries and radiology exams. The ransomware gang also released sensitive health information of about 216,000 patients. Then, in June 2022, the gang compromised Costa Rica’s public health service before targeting New York-based emergency response and ambulance service provider Empress EMS the following month. Over 320,000 individuals had information stolen, including names, dates of services, insurance information, and Social Security numbers. Just last month, Hive also added Lake Charles Memorial Health System, a hospital system in Southwest Louisiana, to its dark web leak site, where it posted hundreds of gigabytes of data, including patient and employee information. Hive also targeted Tata Power, a top power generation company in India, in October. The joint FBI-CISA-HHS advisory warns that Hive typically gains access to victim networks by using stolen single-factor credentials to access organization remote desktop systems, virtual private networks, and other internet-facing systems. But CISA also warns that the ransomware group also skirts some multi-factor authentication systems by exploiting unpatched vulnerabilities. “In some cases, Hive actors have bypassed multi-factor authentication and gained access to FortiOS servers by exploiting CVE-2020-12812,” the advisory says. “This vulnerability enables a malicious cyber-actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.” The advisory also warns that Hive actors have been observed reinfecting victims that restored their environments without paying a ransom, either with Hive or another ransomware variant. Microsoft’s Threat Intelligence Center (MSTIC) researchers warned earlier this year that Hive had upgraded its malware by migrating its code from Go to the Rust programming language, enabling it to use a more complex encryption method for its ransomware as a service payload. The U.S. government shared Hive indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) discovered by the FBI to help defenders detect malicious activity associated with Hive affiliates and reduce or eliminate the impact of such incidents.

‘We know who you are’ • ZebethMedia

By zebethcontrolPosted on November 11, 2022Posted in Australia, data breach, hackers, medibank breach, ransomware, SecurityNo Comments

The Australian Federal Police claims to have identified the cybercriminals behind the Medibank ransomware attack, which compromised the personal data of 9.7 million customers. AFP Commissioner Reece Kershaw said on Friday that the agency knows the identity of the individuals responsible for the attack on Australia’s largest private health insurer. He declined to name the individuals but said the AFP believes that those responsible for the breach are in Russia, though some affiliates may be in other countries. In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the AFP knows where the hackers are and are working to bring them to justice. The Australian Federal Police have identified the hackers, revealing they’re located in Russia. We know where they are. And we are working hard to bring them to justice. — Anthony Albanese (@AlboMP) November 11, 2022 Kershaw said that police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, but did not name victims. “These cyber criminals are operating like a business with affiliates and associates who are supporting the business,” he added, pointing to ransomware as a service operation such as LockBit. On Thursday, a dual Russian-Canadian national linked to the LockBit operation was arrested in Canada. The hackers behind the Medibank breach have previously been linked to the high-profile Russian cybercrime gang REvil, also known as Sodinokibi. REvil’s once-defunct dark web leak site now redirects traffic to a new site that hosts the stolen Medibank data, and the hackers behind the breach have also been observed using a variant of REvil’s file-encrypting malware. The Russian Embassy in Canberra was quick to rebuff allegations that the Medibank hackers are based in Russia. “For some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional channels of communication,” the embassy said in a statement on Friday. “We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies.” Russia’s federal security services FSB (formerly the KGB) said in January that REvil “ceased to exist” after several arrests were made at the request of the U.S. government. In March, Ukrainian national Yaroslav Vasinskyi, an alleged key member of the REvil group linked to an attack on U.S. software vendor Kaseya, was extradited from Poland to the U.S. to face charges. “Even after a series of law enforcement operations against REvil, the gang and its affiliates still seem to keep returning, based on the analysis of the latest REvil ransomware sample,” Roman Rezvukhin, head of malware analysis and threat hunting team at Group-IB, tells ZebethMedia. Kershaw said on Friday that the AFP, along with international partners such as Interpol, will “be holding talks with Russian law enforcement about these individuals.” “It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability,” Kershaw said. “To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.” While the AFP has successfully extradited people from Poland, Serbia, and the United Arab Emirates in recent years to face criminal charges in Australia, extraditing Russian hackers is likely to be challenging. In 2018, Russian President Vladimir Putin declared that “Russia does not extradite its citizens to anyone.” Despite action by the AFP, the Medibank breach continues to worsen following its decision to refuse to pay the cybercriminals’ ransom demand. On Thursday, the attackers’ dark web blog posted more stolen data, including sensitive files related to abortions and alcohol-related illnesses. The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said. “Unfortunately, we expect the criminal to continue to release stolen customer data each day,” Medibank CEO David Koczkar said on Friday. “These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”

Police arrest suspected LockBit operator as the ransomware gang spills new data • ZebethMedia

By zebethcontrolPosted on November 10, 2022Posted in ransomware, Security, ThalesNo Comments

A Russian national linked to the LockBit ransomware operation has been arrested over his alleged involvement in attacks targeting critical infrastructure and large industrial groups worldwide. The 33-year-old suspect was arrested in Ontario, Canada on October 26 following an investigation led by the French National Gendarmerie with the help of Europol’s European Cybercrime Centre, the FBI, and the Canadian Royal Canadian Mounted Police. During the arrest, police seized eight computers, 32 external hard drives, and €400,000 in cryptocurrencies, Europol said. The arrest follows a similar action in Ukraine in October last year when a joint international law enforcement operation led to the arrest of two of his accomplices. Europol says the suspect, described as “one of the world’s most prolific ransomware operators,” was one of its high-value targets due to his involvement in numerous high-profile ransomware cases. The EU police agency added that he is known for trying to extort victims with ransom demands between €5 to €70 million. The suspect will now face charges in the United States. An announcement from the U.S. Department of Justice is expected later today. Specific victims targeted by the suspected LockBit operator were not named by Europol. However, France’s involvement in the operation suggests he could be linked to a recent attack on French aerospace and defense group Thales. LockBit, a prominent ransomware operation that’s previously claimed attacks on tech manufacturer Foxconn, U.K. health service vendor Advanced, and IT giant Accenture, added Thales to its leak site on October 31. The group claimed to have published data stolen from the company today, which it describes as “very sensitive” and “high risk” in nature. Contents of the data leak include commercial documents, accounting files and customer files, according to LockBit, though the files had not been published at the time of publication. “As far as customers are concerned, you can approach the relevant organizations to consider taking legal action against this company that has greatly neglected the rules of confidentiality,” a message on the LockBit leak site reads. Thales spokesperson Cedric Leurquin did not immediately respond to our request for comment. LockBit also claims to have today leaked 40 terabytes of data stolen from German automotive giant Continental, and samples of the data suggest that the gang has accessed technical documents and source code. Though a ransom demand was not explicitly stated, the ransomware gang’s leak page claims to offer access to the full tranche of stolen data for $50 million. Continental spokesperson Marc Siedler told ZebethMedia that the company’s investigation into the incident has revealed that “attackers were also able to steal some data from the affected IT systems,” but refused to say what types of data were stolen or how many customers and employees have been affected.

Hackers start leaking health data after ransomware attack • ZebethMedia

By zebethcontrolPosted on November 9, 2022Posted in Australia, cybersecurity, health insurance, medibank breach, ransomware, SecurityNo Comments

Medibank has urged its customers to be on high alert after cybercriminals began leaking sensitive medical records stolen from the Australian health insurance giant. A ransomware group with ties to the notorious Russian-speaking REvil gang began publishing the stolen records early Wednesday, including customers’ names, birth dates, passport numbers, and information on medical claims. This comes after Medibank said it would not pay the ransom demand, saying, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.” The cybercriminals selectively separated the first sample of Australian breach victims into “naughty” and “good” lists, with the former including numerical diagnosis codes that appeared to link victims to drug addiction, alcohol abuse, and HIV, according to Agence France-Presse. For example, one record carries an entry that reads “F122,” which corresponds with “cannabis dependence” under the International Classification of Diseases published by the World Health Organization. It’s also believed the leaked data includes the names of high-profile Medibank customers, which likely includes senior Australian government lawmakers, like prime minister Anthony Albanese and cybersecurity minister Clare O’Neil. The portion of data leaked so far, seen by ZebethMedia, also appears to include correspondence of negotiations between the cybercriminals and Medibank CEO David Koczkar. Screenshots of WhatsApp messages suggest that the ransomware group also plans to leak “keys for decrypting credit cards” despite Medibank’s assertion that no banking or credit card details were accessed. “Based on our investigation to date into this cybercrime we currently believe the criminal did not access credit card and banking details,” Medibank spokesperson Liz Green told ZebethMedia in an emailed statement on Wednesday, who deferred to its blog post. The cybercriminal gang behind the Medicare ransomware attack, whose identities are not known but has relied on a variant of REvil’s file-encrypting malware, has so far leaked the personal details of around 200 Medibank customers, a fraction of the data that the group claims to have stolen. Medibank confirmed on Tuesday that the cybercriminals had accessed roughly 9.7 million customers’ personal details and health claims data for almost 500,000 customers. What should victims do? In light of the data leak, which exposed highly confidential information that could be abused for financial fraud, Medibank and the Australian Federal Police are urging customers to be on high alert for phishing scams and unexpected activity across online accounts. Medibank is also advising users to ensure they are not re-using passwords and have multi-factor authentication enabled on any online accounts where the option is available. Medibank also launched a “cyber response support package” for affected customers, Medibank’s Green told ZebethMedia. This includes hardship support, identity protection advice and resources, and reimbursement of government ID replacement fees. The health insurance giant is also providing a wellbeing line, a mental health outreach service, and personal duress alarms. Australia’s federal police are investigating the breach in collaboration with agencies from around the Commonwealth, as well as from the other members of the “Five Eyes” group of intelligence-sharing governments, including the U.K., U.S., Canada, and New Zealand. Operation Guardian, the Australian government’s response to the recent wave of cyberattacks that began with the data breach at telco giant Optus, will be extended to Medibank to protect its customers from “financial fraud and identity theft.” “Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” said AFP Assistant Commissioner Cyber Command Justine Gough. “Law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank Private data.” What’s next? In its latest update, Medibank is bracing for the situation to worsen, saying that it “expects the criminal to continue to release files on the dark web.” On its dark web leak site, the cybercriminals said they planned to “continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.” Medibank says it will continue to contact all affected customers with specific advice and details of what data the attackers have accessed. However, customers at a heightened risk of being targeted by fraudulent emails should ensure that emails are coming from Medibank. Medibank said it would not ask for personal details over email. If in doubt, don’t click any links. It’s not yet known whether Medibank customers will receive compensation following the breach or whether Medibank will face action for failing to protect users’ confidential medical data. The breach comes just weeks after Australia confirmed an incoming legislative change to the country’s privacy laws, following a long process of consultation on reforms. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches and greater powers for the Australian information commissioner. Two law firms also said on Tuesday that they are investigating whether Medibank had breached its obligations to customers under the country’s Privacy Act. The firms, Bannister Law and Centennial Lawyers, will investigate whether Medibank breached their privacy policy and the terms of their contract with customers and will also assess whether damages should be paid as a result of the breach.

Ransomware gang threatens to publish thousands of Australians’ health data • ZebethMedia

By zebethcontrolPosted on November 8, 2022Posted in data breach, medibank breach, ransomware, SecurityNo Comments

A ransomware group with suspected links to the notorious Russia-speaking REvil gang has threatened to release the personal information of millions of Medibank customers after the Australian private health insurance giant pledged it would not pay the cybercriminals’ ransom demand. Medibank, Australia’s largest health insurance provider, first disclosed a “cyber incident” on October 13, saying at the time that it detected unusual activity on its network and took immediate steps to contain the incident. Days later, the company said that customer data might have been exfiltrated. In an update posted this week, the Melbourne-based Medibank admitted that the attackers accessed roughly 9.7 million customers’ personal information, including names, birth dates, email addresses, and passport numbers. The cybercriminals also accessed health claims data for almost 500,000 customers, including service provider names and locations, where customers received certain medical services, and codes associated with diagnosis and procedures administered. For 5,200 users of Medibank’s My Home Hospital app, the cybercriminals accessed some personal and health claims data and, for some, next of kin contact details. Medibank CEO David Koczkar said that while the health insurance giant believes that the attackers likely exfiltrated all of the data they were able to access, the organization would not pay the ransom demand. “Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Koczkar said. The chief executive added that paying could even encourage the hackers to adopt a triple-extortion tactic by attempting to extort customers directly. Following Koczkar’s announcement, a ransomware gang believed to be a rebrand of the defunct REvil group threatened to leak the stolen Medibank data. The new dark web leak site, seen by ZebethMedia, listed Medibank as one of its victims and said it planned to release the exfiltrated data publicly. The gang did not say how much data it exfiltrated from Medibank’s network, and did not share evidence of its claims. The links between the new leak site and REvil, which went dark after U.S. authorities pushed the operation offline in October after the gang targeted ransomware attacks against Colonial Pipeline, JBS Foods and U.S. technology firm Kaseya, remains unclear. Brett Callow, a ransomware expert and threat analyst at Emsisoft, said that the new operation uses a variant of REvil’s file-encrypting website and that REvil’s old website now redirects to the new leak site. Medibank described the gang’s threats as a “distressing development,” in a second update published on Tuesday, and urged customers to be vigilant with all online communications and transactions. “We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them,” said Koczkar. “The weaponization of their private information is malicious, and it is an attack on the most vulnerable members of our community.” Medibank added that it is working with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police, in order to try and prevent the sharing and sale of customer data. News of the Medibank attack comes just weeks after Australia’s second largest telco Optus was breached. The Australian government confirmed an upcoming legislative change that would see companies that fail to adequately protect people’s data face fines of $50 million or more.

Crime group hijacks hundreds of US news websites to push malware • ZebethMedia

By zebethcontrolPosted on November 3, 2022Posted in Evil Corp, hackers, malware, Proofpoint, ransomware, SecurityNo Comments

A cybercriminal group has compromised a media content provider to deploy malware on the websites of hundreds of news outlets in the U.S., according to cybersecurity company Proofpoint. The threat actors, tracked by Proofpoint as “TA569,” compromised the media organization to spread SocGholish, a custom malware active since at least 2018. The media company in question is not named, but was notified and is said to be investigating. Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, tells ZebethMedia that the organization provides “both video content and advertising to major news outlets.” DeGrippo added that 250 U.S. national newspaper sites and regional websites are affected, including media organizations serving Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington, D.C. It’s unclear how the unnamed media company was compromised, but DeGrippo added that TA569 “has a demonstrated history of compromising content management systems and hosting accounts.” The SocGholish malware is injected into a benign JavaScript file that is loaded by the news outlets’ websites, which prompts the website visitor to download a fake software update. In this campaign, the prompt takes the form of a browser update for Chrome, Firefox, Internet Explorer, Edge, or Opera. “If the victim downloads and executes this ‘fakeupdate’ they will be infected by the SocGholish payload,” said DeGrippo. “This attack chain requires interaction from the end user at two points: accepting the download and executing the payload.” SocGholish serves as an “initial access threat,” which if successfully planted have historically served as a precursor to ransomware, according to Proofpoint. The threat actors’ end goal, the company says, is financial gain. Proofpoint tells ZebethMedia that it “assesses with high confidence” that TA569 is associated with WastedLocker, a variant of ransomware developed by the U.S.-sanctioned Evil Corp group. The company added that it does not believe TA569 is Evil Corp, but rather acts as a broker of already-compromised devices for the hacking group. It was revealed earlier this year that Evil Corp uses a ransomware-as-a-service model in an effort to skirt U.S. sanctions. The gang was sanctioned December 2019 due to its extensive development of Dridex malware, which the gang used to steal more than $100 million from hundreds of banks and financial institutions.

Hive ransomware gang leaks data stolen during Tata Power cyberattack • ZebethMedia

By zebethcontrolPosted on October 25, 2022Posted in cyberattack, data breach, ransomware, Security, Tata PowerNo Comments

The Hive ransomware group has claimed responsibility for the recent cyberattack on Tata Power, a leading Indian energy company, and has started leaking stolen employee data. Tata Power, which serves more than 12 million customers through its distributors, confirmed on October 14 that it had been hit by a cyberattack that impacted some of its IT systems. “The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” Tata Power said at the time, but did not confirm any specific details about the attack and its impact at the time. Hive, the ransomware gang that recently hit the Costa Rican government, this week listed Tata Power on its dark web leak site, which it uses to publicize attacks and stolen data. The group claims it encrypted the company’s data on October 3, suggesting Tata Power may have known about the breach two weeks prior to its initial filing, according to the listing, which ZebethMedia has seen. The listing of stolen data suggests any negotiations to pay a ransom failed. This data, reviewed by ZebethMedia, includes sensitive employee information, such as Aadhaar national identity card numbers, tax account numbers, salary information, home addresses and phone numbers. The leaked data, which was posted to Hive’s dark web leak site on October 24, also includes engineering drawings, financial and banking records, client records and some private keys. “The leak has sensitive data but nothing that affects power grids,” Rahul Sasi, co-founder and CEO of threat intelligence firm CloudSEK, who also reviewed the leaked data, told ZebethMedia. Sasi said that the group’s motivation appears to be purely financial. ZebethMedia contacted Tata Power but had not received a response at the time of publication. The Hive ransomware gang has been active since mid-2021. The gang and its affiliates started targeting organizations that experienced high downtime costs, such as healthcare providers, energy providers and retailers. The group is known for its aggressive tactics and has been observed using methods such as “triple extortion,” whereby the attackers seek money not only from the organization that was first targeted but also from anyone who might be impacted by the disclosure of that organization’s data. The attack on Tata Power is the latest in a series of attacks carried out by Hive. Last month, the group claimed an attack on the New York Racing Association just a few days after leaking data stolen from Bell Canada-owned subsidiary Bell Technical Solutions.

To better thwart ransomware attacks, startups must get cybersecurity basics right • ZebethMedia

By zebethcontrolPosted on October 24, 2022Posted in EC Cybersecurity, EC TechCrunch Disrupt 2022, ransomware, Security, Startups, TechCrunch Disrupt 2022No Comments

The Department of Justice (DOJ) famously declared 2021 as the “worst year” for ransomware attacks, but it seems that title could be in 2022’s hands very soon. Despite some rare wins in the war against hackers over the past 12 months — from the government’s seizure of $2.3 million in bitcoin paid out to the Colonial Pipeline hackers, to its successful disruption of the notorious REvil gang — the ransomware threat continues to grow. Over the past few months alone, we’ve seen threat actors ramping up attacks against public sector organizations, including hospitals, schools and in the case of Costa Rica, entire governments. The private sector is also battling a worsening ransomware threat, with attackers claiming a number of high-profile victims such as AMD, Foxconn and Nvidia. Enable multifactor authentication on everything you have. Katie Moussouris, founder, Luta Security Founders of early-stage startups will undoubtedly find it concerning to see even well-known organizations failing to protect themselves from ransomware despite their seemingly endless resources, particularly as it’s unclear exactly where these companies went wrong. “It could be a zero-day or it could be a failure to implement multifactor authentication (MFA) or an MFA bypass,” said Brett Callow, threat analyst at Emsisoft, during a panel discussion on the ZebethMedia+ stage at Disrupt 2022. “There’s no standard answer, and that is what makes this problem so difficult to deal with.”

NHS vendor Advanced won’t say if patient data was stolen during ransomware attack • ZebethMedia

By zebethcontrolPosted on October 13, 2022Posted in Advanced, data breach, NHS, ransomware, SecurityNo Comments

The hackers used “legitimate” credentials to breach the vendor’s network Advanced, an IT service provider for the U.K.’s National Health Service (NHS), has confirmed that attackers stole data from its systems during an August ransomware attack, but refuses to say if patient data was compromised. Advanced first confirmed the ransomware incident on August 4 following widespread disruption to NHS services across the U.K. The attack downed a number of the organization’s services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information. In an update dated October 12 and shared with ZebethMedia on Thursday, Advanced said the malware used in the attack was LockBit 3.0, according to the company’s incident responders, named as Mandiant and Microsoft. LockBit 3.0 is a ransomware-as-a-service (RaaS) operation that hit Foxconn earlier this year. In its updated incident report, Advanced said that the attackers initially accessed its network on August 2 using “legitimate” third-party credentials to establish a remote desktop session to the company’s Staffplan Citrix server, used for powering its caregiver’s scheduling and rostering system. The report implies there was no multi-factor authentication in place that would block the use of stolen passwords. “The attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware,” Advanced said in the update. Advanced said some data pertaining to 16 Staffplan and Caresys customers (referring to NHS trusts) was “copied and exfiltrated,” a technique known as double-extortion, where cybercriminals exfiltrate a company’s data before encrypting the victim’s systems. In the update, Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by ZebethMedia, Advanced chief operating officer Simon Short declined to say if patient data is affected, or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated. Lockbit 3.0’s dark web leak site did not list Advanced or NHS data at the time of writing. Short also declined to say if Advanced paid a ransom. “We are, however, monitoring the dark web as a belt and braces measure and will let you know immediately in the unlikely event that this position changes,” Advanced said in the update. Advanced said its security team disconnected the entire Health and Care environment to contain the threat and limit encryption, which downed a number of services across the NHS. The extended outage left some trusts unable to access clinical notes and others were forced to rely on pen and paper, BBC News reported in August. Advanced said its recovery from the incident is likely to be slow, citing an assurance process set by the NHS, NHS Digital and the U.K. National Cyber Security Center. “This is time-consuming and resource intensive and it continues to contribute to our recovery timeline,” Advanced said. “We are working diligently and bringing all resources to bear, including outside recovery specialists, to help us restore services to our customers as quickly as possible.” The healthcare industry remains a top priority for ransomware actors. Earlier this month, U.S. hospital giant CommonSpirit was hit by a cybersecurity incident that is disrupting medical services across the country — which it later confirmed was a ransomware attack.