Tag Archives: Ransomware

Posted on Author Atlantic Computer Services Categories Blog

FBI Sheds New Light On Ransomware Tactics

According to a recent FBI alert marked “TLP: AMBER,” businesses should be on high alert for ransomware attacks.

The alert reads, in part, as follows:

Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands. The MegaCortex ransomware, first identified in May 2019, exhibits Indicators of Compromise (IOCs), command and control (C2) infrastructure, and targeting similar to LockerGoga.

The actors behind LockerGoga and MegaCortex will gain a foothold on a corporate network using exploits, phishing attacks, SQL injections and stolen login credentials.”

The alert also states that the attackers behind these two ransomware strains often wield Cobalt Strike tools, including Cobalt beacons to gain remote access.

Once the attackers gain a toehold inside a target network, they’ll carefully explore and map the target network, seeking out the most sensitive information including proprietary company data, payment card information and other customer details and the like.

The goal here is to identify the highest value information that can be exfiltrated to the command and control server for sale on the black market. Finally, when all of the most valuable information has been siphoned from the network, the hackers will trigger the ransomware itself, which they’ll use to gain an additional payment, extorting the affected organization.

The FBI also reports that hacking operations carried out by nation-states often deploy ransomware to make it appear that the attack is the work of traditional cybercriminals, throwing forensic investigators off of their trail.

The process of network mapping and exfiltrating valuable data can take weeks or even months, depending on the size of the network. So, organizations may be infected long before the visible signs of the attack become evident. Given that, it’s more important than ever to have robust security system in place. You should have remote backups taken at regular intervals and a rapid response plan in place in the event of a breach.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ransomware Threatens To Release Stolen Data To Public

The leaders of the ransomware known as Sodinokibi (REvil Ransomware) have announced a nasty new tactic to get their victims to pay up when their files get encrypted.

The hackers are now threatening that they’ll begin releasing stolen data to the general public or to competitors unless the ransom is paid.

While hackers have made this threat in the past, this year was the first time in history that anyone has followed through with it. At the end of November of this year, when Allied Universal was successfully attacked, they were given the ultimatum to pay up or see their files released. The company didn’t pay, and the hackers promptly released more than 700MB of data on a hacking forum on the Dark Web.

Given this new reality, it raises some thorny questions. Should IT professionals begin treating ransomware attacks as data breaches? Possibly so, but doing so complicates matters. Right now, ransomware attacks are treated as a purely internal problem. Customers and vendors aren’t necessarily contacted and formal disclosures don’t have to be made as to the scope and scale of the data impacted.

If hackers start regularly releasing the files they encrypt, it puts a lot of information at risk. Information that includes sensitive data, personal information, salary information, termination letters, details on relationships with third parties, trade secrets, and a host of other sensitive, proprietary data. It is all at risk of public exposure. It will not only increase public concern but could easily lead to lawsuits. That is especially if the company falling victim to a ransomware attack fails to report it as a breach and the data is subsequently leaked.

It’s too soon to say whether or not this is or will become the new normal, but before it happens to you, it bears thinking about how your company will handle the issue.

0
Posted on Author Atlantic Computer Services Categories Blog

New Zeppelin Ransomware Brings Companies To A Halt

Researchers at BlackBerry Cylance have discovered a new and dangerous strain of ransomware in the wild dubbed “Zeppelin”.

It has been used to target small numbers of healthcare and technology-related companies in the US, Canada and Europe in recent weeks. An analysis of the code reveals that Zeppelin is related to, but distinct from the VegaLocker ransomware family.

The code has been heavily modified and enhanced though, to the point that the researchers felt confident in calling it a brand-new strain.

The new threat is primarily spread in supply-chain attacks via Managed Security Service Providers, which makes it functionally similar to the Sodinokibi ransomware family.  Of interest, the code is incredibly configurable. Researchers surmise that it’s being offered in underground forums as a “Software as Service,” with third-party hackers paying for the right to use it, then customizing it to their needs.

Zeppelin was first compiled in early November 2019, and since that time, it has been used on a limited basis against what the researchers describe as “a few carefully selected targets”.

They also had this to say about their recent discovery:

“There seem to be a limited number of victims, and we haven’t seen the malware being used in any wide-spread distribution campaign so far, therefore it looks like the threat actors are rather careful in whom they are targeting…one of the possibilities is that the campaign didn’t yet fully take off and the current victims are only the ‘patient zero’ in some kind of test run.

The advice is the same as always: use a comprehensive security solution, maintain up-to-date operating systems, perform regular backups – and keep them on mediums that are usually disconnected from the network, educate your personnel on basic security guidelines, stay cautious and vigilant.”

It’s very good advice.  Although not yet widespread, Zeppelin poses a serious threat indeed.

0
Posted on Author Atlantic Computer Services Categories Blog

Ransomware Uses New Method To Get Past Antivirus Programs

Researchers at SophosLabs have discovered a new threat to be on the alert for.  A variant of the Snatch ransomware has been spotted in the wild.

It features an innovative means of getting around whatever antivirus software you may be using to defend yourself.

Disguised as a backup utility, when the malware is installed, it forces the Windows PC it’s being installed on to reboot in Safe Mode.  This works because when the machine comes back up in Safe Mode, it’s running with a limited set of drivers and capabilities that don’t include antivirus software.  Since it’s not running, it obviously can’t detect the infection. It is ransomware, so as soon as the installation is complete, the files on the infected system are encrypted and unusable.

It gets worse.  In addition to locking the infected system down, Snatch will also attempt to delete all the Volume Shadow Copies in order to prevent forensic recovery of the encrypted files. On top of that, Snatch does more than simply encrypt files.  It also roots through the system and steals a wide range of data files, sending them off to a command and control server, even as it encrypts them.

The researchers report that Snatch can run on Windows versions 7 through 10, in both 32 and 64-bit versions. Of interest, it was written in Go, which is a programming language used by app developers to create cross-platform apps.  Although Snatch is currently only known to impact Windows-based machines, given the programming language used, the developers would have an easy time creating variants that could infect just about any system, running any OS.

The hackers controlling the code seem to have big plans. They’re advertising on underground forums on the Dark Web shopping for affiliates. They are hoping to partner with hackers or dissatisfied employees who have credentials that would enable the owners of the software to plant their malicious code inside large organizations.

Although there’s no evidence yet of a widespread campaign using Snatch, that day seems inevitable, so make sure your staff knows to stay on the alert for it.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ransomware Called DeathRansom Hits The Scene

Early in 2019, a new strain of ransomware appeared.  Called “DeathRansom,” its bark was initially much worse than its bite.  Researchers quickly discovered that the new strain only pretended to encrypt a user’s files.

If victims simply removed the “encryption” extension, they could get their files back without doing anything at all.

That ceased to be the case around November 20th of this year.  Not only did the malware’s developers begin actually encrypting files, but the number of reported DeathRansom infections surged. That indicated a large scale, highly organized distribution campaign.

Of interest, nobody seems to know exactly how DeathRansom is being distributed, but an anonymous Reddit post offered a tantalizing clue.

The Reddit poster issued screenshots indicating that DeathRansom ransom notes and STOP Djvu encrypted files were often found together in the same submissions to researchers.  That’s of interest because STOP has the distinction of only being distributed via cracks and adware bundles. That is a strong indication that DeathRansom is being distributed using the same channels.

However, the software is finding its way onto victim systems, and it has gotten increasingly good at its job.  The current iteration of the malware will encrypt all files on the target machine other than those found whose full pathnames contain the following:

  • Programdata
  • $recycle.bin
  • Program files
  • Windows
  • All users
  • Appdata
  • txt
  • bat
  • ini
  • inf
  • dat
  • db
  • bak
  • Boot,ini
  • dat.log
  • db

DeathRansom’s creators wanted to make sure their ransom notes were found. So in the latest version of their program, they’ve made sure that every folder on the victim’s machine that contains locked files also contains a read_me.txt file containing the ransom note and a unique “Lock-ID” for that particular victim. All that along with an email address to be used to contact the developer or affiliate for payment details.

An analysis of the most recent DeathRansom strain is ongoing. At this point, it is not yet known if the encrypted files can be decrypted without paying the ransom.

0
1 12 13 14 15 16 17