Tag Archives: Ransomware

Posted on Author Atlantic Computer Services Categories Blog

Hackers Behind REvil Ransomware Are Back Online

Not long after successfully attacking Kaseya the band of cyber criminals behind the REvil ransomware strain went dark. Their “Happy Blog” mysteriously went offline.

It is not known if the group went into hiding as a safety precaution after their attack drew worldwide condemnation. It could have been as a result of action by law enforcement agencies. The truth is not currently known.

Many credit Presidents Biden and Putin because the group went silent not long after the two leaders spoke. Biden pressed the Russian leader about ransomware attacks that originated from Russian soil.

Kaseya is a global IT solutions company based in Ireland. The REvil attack impacted thousands of end users in more than a thousand small to medium-sized companies that Kaseya serves. Whatever drove the hacking group offline temporarily the pressure seems to have faded. The group has returned. Security researchers from both Emsisoft and Recorded Future have confirmed that most of the gang’s infrastructure is back in operation.

Ransomware expert Allan Liska had this to say about the group:

“Things definitely got hot for them for a while, so they needed to let law enforcement cool down. The problem (for them) is, if this is really the same group, using the same infrastructure, they didn’t really buy themselves any distance from law enforcement or researchers, which is going to put them right back in the crosshairs of literally every law enforcement group in the world (except Russia’s).

I’ll also add that I’ve checked all of the usual code repositories, like VirusTotal and Malware Bazaar, and I have not seen any new samples posted yet. So, if they have launched any new ransomware attacks, there haven’t been many of them.”

BlackFog’s CEO Darren Williams added that he’s not surprised that the group resurfaced. REvil is one of the most successful ransomware variants of 2021. With so much demand from hackers around the world it would have been virtually impossible for the group to remain hidden and offline.

REvil is back and it is just a matter of time before REvil attacks begin anew.

0
Posted on Author Atlantic Computer Services Categories Blog

Exchange Servers Are The Target Of This New Ransomware

A new ransomware gang known as “LockFile” has recently burst onto the scene. They specifically target Microsoft Exchange servers to gain access then proceed to encrypt everything they can find.

LockFile employs a trio of vulnerabilities that are collectively known as ProxyShell to gain access to a targeted exchange server.

ProxyShell was given its name by Orange Tsai. Tsai is the Devcore Principal Security Researcher who initially chained them together to create the attack. All three issues had been known previously but it was Tsai who first thought to daisy chain them to create a new attack vector.

The issues are being tracked separately as follows:

  • CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
  • CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
  • CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

All of these issues have already been patched per the notes above but of course there is no guarantee that they’re patched on your network. Your IT staff may or may not have gotten around to applying the patches referenced above. If not then your network is at risk.

It should also be noted that hackers are actively scanning for Exchange servers vulnerable to ProxyShell attacks. So if your network is at risk then it’s just a matter of time until LockFile finds you.

Bookmark this article to serve as a reference and have your IT staff double check to be sure that the patches referenced above have indeed been applied on your network. If they haven’t then make sure they are as soon as possible in order to minimize your risk.

Very little is known about the LockFile gang and their motivations. It should be known that their ransomware is incredibly dangerous. Lack of action to protect vulnerable systems could have tragic consequences.

0
Posted on Author Atlantic Computer Services Categories Blog

Lockbit Ransomware Is Trying To Become Unstoppable

Over the last couple of years ransomware has become the malware of choice for hackers around the world. It’s easy to understand why. Hackers using malware win in two different ways. If they successfully breach a corporation they can steal copies of important files and sell them on the black market. They can simultaneously demand a fat payout from the company itself.

A strain called Lockbit has been around since at least 2019 and is aiming to become the ransomware of choice in the hacking world. The code talent behind Lockbit has been working hard to upgrade their malicious code with increasingly advanced capabilities that make it more effective, more efficient, and harder to stop.

Even more troubling is the fact that Lockbit’s owners have been offering their code as ‘ransomware-as-a-service’ on the Dark Web. This allows hackers to rent the code for a relatively modest price which increases its usage rate.

This ‘ransomware-as-a-service’ scheme has also accelerated the pace of the malware’s development. This is as the coders get suggestions and requests from their rapidly growing user base which are quickly incorporated into the code.

According to researchers at Trend Micro Lockbit’s popularity is booming and it is now one of the most popular and widely used ransomware strains on the market today.

Trend’s researchers indicated that a lot of Lockbit’s current success stems from the fact that the hackers behind the code emulated the moves of the most successful cyber gangs of the past. The group also seems to have benefited from the recent disappearance of a few high profile gangs taken down by law enforcement officials from around the world.

The bottom line is that the people behind Lockbit know what they’re doing. They’ve got a growing body of experience and are committed to updating their code. That means Lockbit will be a serious threat for the foreseeable future.

0
Posted on Author Atlantic Computer Services Categories Blog

Change Your NAS Device Password To Avoid Ransomware Attacks

A NAS manufacturer based in Taiwan called Synology recently issued a warning to its customers relating to the StealthWorker botnet. This botnet has been targeting a wide range of NAS (Network Attached Storage) devices using simple brute force tactics. Anytime the botnet succeeds in breaching the security of a NAS it will deploy a ransomware payload to encrypt any files on that device.

The botnet also stores working credentials so that its controllers can use them later to try and breach other devices on the same network. This is on the thinking that many people reuse passwords. It is a simple and effective strategy that could have devastating consequences for anyone with weak admin credentials and recycled passwords in use across multiple devices.

Synology alerted its customers to the threat itself. They are also urging all of their customers to immediately change any weak passwords and to update passwords that are in use on multiple devices. That is whether they’re on on the same or a different network. This is all to be done in order to mitigate risk.

If possible the company is also urging the use of two-factor authentication to make it more difficult for the Botnet to gain traction when it makes an attack.

This Botnet and this particular line of attacks seems to favor Synology NAS devices. So if you use them at your company you should review your passwords to make sure they’re sufficiently robust right away. Also, you should enable other any other network security protections you can.

The hackers could easily shift gears and target NAS devices made by some other vendor or even target other types of devices entirely. So now would be a good time to do a general password security review just to make sure you’re not caught off guard.

0
Posted on Author Atlantic Computer Services Categories Blog

Coalition Of Big Names Coming Together To Fight Ransomware

If you’re worried about ransomware attacks know that help is on the way.

The CISA (Cybersecurity & Infrastructure Security Agency) has announced a partnership with some of the biggest names in tech. The specific purpose of this collaborative effort called the Joint Cyber Defense Collaborative is to put an end to ransomware and other serious cyber threats.

In recent years ransomware has emerged as one of the favored tools of hackers around the world. It allows hackers to profit in two ways from networks they break into. They can sell any data that they collect prior to locking files and they can charge the victim a hefty fee to get their files unlocked.

The collaborative effort has gained global attention and the following companies have joined the government to assist:

  • Amazon
  • Google
  • Microsoft
  • Crowdstrike
  • AT&T
  • FireEye
  • Mandiant
  • Lumen
  • Palo Alto Networks
  • And Verizon.

The Collaborative will be expanded as time goes by and will eventually include other companies as well per the CISA. Also note that the CISA is not the sole governmental agency participating in the Collaborative.

The other agencies involved include:

  • The FBI
  • The Office of the Director of National Intelligence
  • The Department of Justice
  • The NSA (National Security Agency)
  • And US Cybercommand

This isn’t a half measure. There is much width and depth of expertise in the two lists above. It is apparent that the Collaborative means business and has the resources to get the job done.

No one is expecting that the Collaborative effort will be able to put an end to cyber attacks. With the capabilities of this group they will undoubtedly be able to make some serious headway. The very existence of the Collaborative may be sufficient to give at least some hackers pause.

This is great news indeed if you’re at all concerned about cyber security and the threats that hackers around the world pose.

0
1 2 3 4 5 6 17