Ransomware and Recent Variants

guest · Jan 31, 2020

The Week in Ransomware - January 31st 2020 - Taking it to The Courts
January 31, 2020
https://www.bleepingcomputer.com/ne...re-january-31st-2020-taking-it-to-the-courts/

This week we saw victim's continuing to use the legal system to target ransomware operator's assets and services as well as a new ransomware targeting vulnerabilities.

The most interesting news is how victims are utilizing the legal system to freeze or get injunctions against the assets and services used by ransomware operators. This was seen in the previous Southwire lawsuit against Maze and this week with a UK judge freezing the ransomware wallet for Bitpaymer.

Also of interest, we saw actors exploiting the Citrix ADC vulnerability to install the Ragnarok Ransomware on compromised networks.
Other than that, we continue to see new variants of existing ransomware such as Dharma, LockBit, and STOP. [...]
Click to expand...

guest · Feb 2, 2020

London Offshore Consultants suffers ransomware attack
January 31, 2020
https://splash247.com/london-offshore-consultants-suffers-ransomware-attack/

UK marine engineering consultancy London Offshore Consultants (LOC) Group has been hacked by a group known as Maze.

The company, with more than 400 employees, saw its computers frozen on December 30 with hackers then demanding a ransom to unlock them.
The hackers claimed that 300GB of information was stolen from the company with some files leaked online in an attempt to force LOC Group to pay a ransom.

LOC said in a statement sent to Splash that the attacks saw a data breach confined to a single site, affecting a small number of clients, who were notified without delay.
Click to expand...

hawki · Feb 3, 2020

"Maryland poised to criminalize ransomware possession

A bill proposed by Maryland lawmakers to criminalize ransomware possession looks set to pass a year after a costly cyber-attack hit the state’s biggest city.

The creation and distribution of malware for criminal purposes is illegal under current US legislation, however, merely possessing malware or ransomware is not.

This new state bill, proposed...on January 13, would criminalize ransomware ownership with intent to cause harm..."

https://portswigger.net/daily-swig/maryland-poised-to-criminalize-ransomware-possession

guest · Feb 3, 2020

Maze Ransomware Hits Law Firms and French Giant Bouygues
February 3, 2020
https://www.infosecurity-magazine.com/news/maze-ransomware-law-firms-french/

Cyber-criminals behind the Maze ransomware attacks have claimed several more scalps over the past few days, including five law firms and a French industrial giant, all of which are thought to have had sensitive internal data stolen.

Brett Callow, a threat analyst with security vendor Emisoft, alerted Infosecurity to the developments over the weekend. The Maze group has a dedicated website where it first names victim organizations and then releases stolen data if they refuse to pay the ransom.

“This makes sense. The more data they publish and the more sensitive that data is, the less incentive an organization has to pay to prevent the remaining data being published,” said Callow.

At present, only two of the law firms have had sensitive customer data published but, ominously for the other victims, the group promises that the “proofs” are coming soon.
The French firm struck by Maze, Bouygues Construction, published a brief statement on Friday admitting a “ransomware-type virus” had been detected on its network the day before.

“As a precautionary measure, information systems have been shut down to prevent any propagation,” the statement read.
Click to expand...

guest · Feb 3, 2020

Ransomware knocks city of Racine offline
February 3, 2020
https://www.scmagazine.com/home/security-news/ransomware/ransomware-knocks-racine-city-offline/

The city of Racine, Wis., was hit with a ransomware attack January 31 that knocked most of its non-emergency computer services offline.

The Wisconsin-city’s website, email system and online payment collection systems were still down as of February 3 and the city police are unable to processes fee payments or provide copies of police and accident reports, reported the Journal Times and the Racine Police Department’s Facebook page.
Racine’s information management department is working to correct the issue and bring its systems back online.
Click to expand...

guest · Feb 5, 2020

New ransomware with ‘.SaveTheQueen’ extension discovered by Varonis
February 4, 2020
https://www.information-age.com/new-ransomware-savethequeen-extension-discovered-varonis-123487551/

The findings regarding this ‘next-generation’ ransomware were put forward via a blog post by Varonis.

The progress of the newly uncovered malware was found to be tracked using the system volume (SYSVOL) folder found on active directory (AD) domain controllers.
The initially infected user, who contacted Varonis to report the ransomware, named a file ‘hourly’ and saved it in the SYSVOL folder. This would be accessed by various IP addresses.

“The final payload is very plain ransomware. No persistence, no C2 connection — just good old asymmetric encryption to make the victims’ files unreadable,” the blog post from Varonis explained.
This ransomware, according to Varonis, does not encrypt EXE, DLL, MSI, ISO, SYS or CAB file types, nor does it encrypt files in the following folders: [...]
The shellcode
“After reading the source code using DNSpy, we understood its sole purpose was to inject shellcode into the “winlogon.exe” process,” said Varonis’s blog post.
Injecting shellcode into winlogon.exe, a standard component of Windows operations, made it even harder than usual to detect.
Click to expand...

Varonis: A Queen’s Ransom: Varonis Uncovers Fast-Spreading “SaveTheQueen” Ransomware

FanJ · Feb 5, 2020

FanJ said: ↑

Maastricht University (Universiteit Maastricht) hit by Clop-ransomware.
Click to expand...

Today there was a symposium by the university UM. The UM and Fox-IT told more about it.
The symposium was only for guests but there was a live-stream:
https://www.maastrichtuniversity.nl/um-cyber-attack-symposium-–-livestream
(I assume you can later play it back, but I'm not sure about that).

I don't know whether there are already English articles available; maybe they come later.
Lots of Dutch sites have articles, in Dutch:
https://nos.nl/artikel/2321732-hack...-maanden-in-netwerk-200-000-euro-betaald.html
https://www.nu.nl/tech/6028600/univ...ijna-2-ton-losgeld-na-digitale-gijzeling.html
https://www.security.nl/posting/642...esmet via phishingmail en verouderde software

This evening Frank Groenewegen, security-expert at Fox-IT, will be on Dutch TV, Nieuwsuur:
https://nos.nl/nieuwsuur/artikel/2321700-de-uitzending-van-5-februari.html

In short, what happened according to the above articles:
It all started already on 15 and 16 October 2019 with phishingmails, pointing to malicious document.
There were two servers with unpatched OS.
On 21 November the whole network was compromised: 267 servers and 2 workstations.
The hacker needed to use a certain software to roll out the ransomware further. That was detected by a AV.
The hacker then de-installed that AV.
On 23 December the ransomware was rolled out.
Backups were also encrypted.
The UM paid about 197.000 euro (30 bitcoin).

I hope that there will be later better articles in English than I gave here in this short summary.

guest · Feb 5, 2020

Mailto (NetWalker) Ransomware Targets Enterprise Networks
February 5, 2020
https://www.bleepingcomputer.com/ne...alker-ransomware-targets-enterprise-networks/

With the high ransom prices and big payouts of enterprise-targeting ransomware, we now have another ransomware known as Mailto or Netwalker that is compromising enterprise networks and encrypting all of the Windows devices connected to it.

In August 2019 a new ransomware was spotted in ID Ransomware that was named Mailto based on the extension that was appended to encrypted files.
It should be noted that the ransomware has been commonly called the Mailto Ransomware due to the appended extension, but analysis of one of its decryptors indicates that it is named Netwalker. We will discuss this later in the article.
The Mailto / Netwalker ransomware
According to Head of SentinelLabs Vitali Kremez who also analyzed the ransomware, the configuration is quite sophisticated and detailed compared to other ransomware infections.

"The ransomware and its group have one of the more granular and more sophisticated configurations observed," Kremez told BleepingComputer.
Click to expand...

Is it named Mailto or Netwatcher?
On one hand, we clearly know its name is Netwalker, but on the other hand, the victims know it as Mailto and most of the helpful information out there utilizes that name.
To make it easier for victims, we decided to continue to refer to this ransomware as Mailto, but the names can be used interchangeably
Click to expand...

guest · Feb 5, 2020

Tracker SA's systems hacked
February 2, 2020
https://www.dispatchlive.co.za/news/2020-02-02-tracker-sas-systems-hacked/

Stolen vehicle recovery company Tracker on Sunday announced that it had become "a victim of a cybercrime in the form of a ransomware attack."
The hack attack "encrypted information on some systems," it said in a statement.

On detecting the malware, it immediately took its systems offline as a temporary precautionary measure, stopping the spread to other areas of its system, the company said on Sunday.
Tracker said it has been able to continue with its recovery and care tracking operations.
Click to expand...

guest · Feb 5, 2020

mood said: ↑

Tracker SA's systems hacked
February 2, 2020
Click to expand...

Tracker hack hints at more ransomware attacks in South Africa
February 5, 2020
https://www.itweb.co.za/content/LPp6VMr4YxNvDKQz/pXnWJadMba7bjO1e

South African organisations are likely to continue falling prey to ransomware attacks this year.
So says Heino Gevers, cyber security expert at Mimecast, after stolen vehicle recovery company Tracker revealed it was hacked on Sunday.

“In previous years, South African ransomware statistics were lower than global statistics, but it appears cyber criminals are turning their attention to what they perceive to be soft targets in South Africa. The indications suggest we can expect an increase in these kinds of attacks in 2020.”
Last year, City Power, the City of Johannesburg’s electricity utility, was hit by a ransomware attack that encrypted databases, applications and network.

He adds that ransomware is becoming increasingly sophisticated and cyber criminals are concentrating their efforts on developing this attack method.
Click to expand...

FanJ · Feb 5, 2020

FanJ said: ↑

Today there was a symposium by the university UM. The UM and Fox-IT told more about it.
The symposium was only for guests but there was a live-stream:
Click to expand...

Some more info, mostly in Dutch:

The livestream of the symposium (in Dutch) can be replayed back later.
There is a big report from Fox-IT (in Dutch).

https://www.maastrichtuniversity.nl/um-cyber-attack-symposium-–-lessons-learnt

At a symposium on Wednesday 5 February, Maastricht University (UM) addressed the cyber attack that took place on 23 December. The symposium was open to invited guests only. Other interested parties could follow the livestream, which you can replay on this page as of 6 February (in the afternoon). Due to the complexity of the subject matter and the presence of Dutch media only, the symposium was held in Dutch.

The symposium provided insight into what actually happened, and addressed broader cyber-related issues such as digital security in the public sector.

UM enlisted the help of an IT security company as of 24 December. Fox-IT assisted in crisis management, charting the attack and conducting forensic investigations, and advised during the recovery process.

You can read the Fox-IT report, with an explanation from UM (in Dutch only).
Click to expand...

Fox-IT report in Dutch in .pdf format :
https://www.maastrichtuniversity.nl/file/foxitrapportreactieuniversiteitmaastrichtpdf
(BTW: I wonder whether they didn't forget the dot before the pdf extension in that link there)

The Observant has already an article in Dutch:
https://www.observantonline.nl/Home...-grote-morele-bezwaren-tegen-betaling-losgeld
They are saying (at the moment) on their English version that more info will come later:
https://www.observantonline.nl/Engl.../17954/Paid-ransom-confirmed-during-symposium

guest · Feb 5, 2020

Ransomware suspected after CUNA, a credit union lobbyist, knocked offline
February 5, 2020
https://techcrunch.com/2020/02/05/cuna-ransomware-offline/

The Credit Union National Association, a major lobbyist and trade association for credit unions, is recovering after its systems were knocked offline earlier this week following a “cyber incident.”
CUNA, headquartered in Washington, DC, represents state and federally chartered credit unions across the U.S., and provides lobbying, advocacy and other trade association services.

But its systems were knocked offline Monday as a result of ransomware, according to a source familiar with the incident who was not authorized to talk to the press. The type of ransomware used is not immediately known, but CUNA is understood to predominantly run Microsoft software, which is frequently a target of ransomware.
Vicky Christner, a spokesperson for CUNA, would not confirm ransomware was the cause of the outage [...]
Click to expand...

FanJ · Feb 6, 2020

About that ransomware and the UM :

FanJ said: ↑

The Observant has already an article in Dutch:
https://www.observantonline.nl/Home...-grote-morele-bezwaren-tegen-betaling-losgeld
They are saying (at the moment) on their English version that more info will come later:
https://www.observantonline.nl/Engl.../17954/Paid-ransom-confirmed-during-symposium
Click to expand...

That article in English is in the meanwhile ready:
https://www.observantonline.nl/Engl...reat-moral-objections-against-paying-a-ransom

guest · Feb 6, 2020

Ransomware Exploits GIGABYTE Driver to Kill AV Processes
February 6, 2020
https://www.bleepingcomputer.com/ne...xploits-gigabyte-driver-to-kill-av-processes/

The attackers behind the RobbinHood Ransomware are exploiting a vulnerable GIGABYTE driver to install a malicious and unsigned driver into Windows that is used to terminate antivirus and security software.

In a new report, Sophos researchers have seen the RobbinHood attackers installing a known vulnerable GIGABYTE driver that has been cosigned by Microsoft and exploiting its vulnerability to disable Microsoft's driver signature enforcement feature.
"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos' report explains.

With the high payouts of network-wide ransomware attacks, attackers are investing a lot of resources into new and innovative methods to bypass security software and protections in Windows.
Click to expand...

Sophos: Living off another land: Ransomware borrows vulnerable driver to remove security software

Sophos has been investigating two different ransomware attacks where the adversaries deployed a legitimate, digitally signed hardware driver in order to delete security products from the targeted computers just prior to performing the destructive file encryption portion of the attack.
Click to expand...

guest · Feb 6, 2020

mood said: ↑

600 Computers Taken Down After Florida Library Cyberattack
January 21, 2020
https://www.bleepingcomputer.com/ne...taken-down-after-florida-library-cyberattack/
Click to expand...

Ryuk ransomware used to attack Volusia library computers, records show
February 6, 2020
https://www.news-journalonline.com/...ware-used-to-attack-volusia-library-computers

Volusia County officials say they’ve referred the attack to law enforcement, but would not say which agency is investigating. Emails provided in response to a public-record request indicate the library computers were infected by Ryuk ransomware. The county will not say whether it has made a ransom payment.

“Because it‘s under investigation, we have no comment at this time,” said Kevin Captain, a county spokesman in an emailed response to a question about ransom.
Captain confirmed the county‘s insurance deductible is $100,000. “The county has no confirmation of cost at this time but will at a later date,” Captain said.

Volusia County provided The News-Journal hundreds of pages of emails about the ransomware incident, some of it redacted because of the ongoing criminal investigation.
Click to expand...

guest · Feb 6, 2020

Allegheny Intermediate Unit investigates malware attack, avoids ransom payment
February 6, 2020
https://triblive.com/local/pittsbur...tigates-malware-attack-avoids-ransom-payment/

Allegheny Intermediate Unit alerted its employees Thursday afternoon to a recent malware attack on its data network but said there’s no initial evidence the perpetrator accessed sensitive information.

According to the employee notice, which was made available to the Tribune-Review, an “unknown entity” encrypted portions of the intermediate unit’s network and demanded payment of ransom to unencrypt the affected data.

“The AIU had backup versions of the most critical information and was able to restore access to the vast majority of the impacted files without engaging or paying the intruder,” interim Executive Director Rosanne Javorsky stated in the notice.
Sarah McCluan, supervisor of communication services for the AIU, declined to comment on the time frame when the malware attack occurred, citing the ongoing investigation.
Click to expand...

guest · Feb 7, 2020

Translink systems "crippled" by hackers 'holding firm to ransom'
It is understood a virus has infected the firm's intranet
February 7, 2020
https://www.belfastlive.co.uk/news/belfast-news/translink-systems-crippled-hackers-holding-17704725

Translink's system are reported to have been "crippled" by a virus placed inside the company's intranet by hackers.

The "very serious" cyber attack was first noticed on Wednesday and it is understood those behind it are 'holding the travel firm to ransom'.
Two separate sources told Belfast Live it has rendered Translink's internal computer systems unusable.
A Translink spokesperson said bus and train services have not been affected and that they are working to try and resolve the issue as soon as they can.

They added: "We are experiencing difficulties with our internal IT systems. We are working to resolve these issues as quickly as possible.
Click to expand...

guest · Feb 8, 2020

The Week in Ransomware - February 7th 2020 - Exploiting Drivers
February 7, 2020
https://www.bleepingcomputer.com/ne...somware-february-7th-2020-exploiting-drivers/

This week we did not see too many new variants released, but we did have some interesting ransomware news.

We had the Mailto Ransomware identified as an enterprise-targeting infection after being used in a cyber attack against the Australian Toll Group.
Sophos Labs also discovered that RobbinHood Ransomware utilizes drivers with known vulnerabilities to disable Windows security protections and antivirus software.

We also continue to see ransomware groups such as REvil follow through with their threats of publishing data online when a victim does not pay. [...]
Click to expand...

guest · Feb 9, 2020

North Miami Beach Affected By Cyber Attack
February 7, 2020
https://miami.cbslocal.com/2020/02/07/north-miami-beach-affected-by-cyber-attack/

The City of North Miami Beach announced Friday that it had been impacted by ransomware.

Here is the statement released by the city on the attack:

“On Tuesday, the North Miami Beach Police Department determined that it was impacted by ransomware. The Department immediately contacted the Federal Bureau of Investigation, the U.S. Secret Service, and the Miami-Dade Police Department, and an investigation is ongoing.
“The ransomware was discovered by information technology personnel within the Police Department, who immediately took appropriate steps to shut down computer systems and draw on the expertise of the FBI and Secret Service. [...] The City of North Miami Beach’s investigation will include an analysis to determine whether any resident’s, employee’s, or vendor’s personal information may have been subject to unauthorized access or acquisition.”
Click to expand...

Krusty · Feb 10, 2020

Toll transport hack leaves customers demanding answers on parcel delivery delays

Customers awaiting parcel deliveries from transport company Toll say they have been left in the dark about major delays caused by a cyber attack on the company's IT systems.
Click to expand...

https://www.abc.net.au/news/2020-02...es-customers-and-deliveries-in-limbo/11949036

Toll Group said the attack had been caused by a "new variant of the Mailto ransomware" and the company had notified federal authorities.

In a statement on its website, the company — which has operations around the globe — said it had launched a "detailed investigation" into the incident.

"We have shared samples of the relevant variant with law enforcement, the Australian Cyber Security Centre (ACSC), and cyber security organisations to ensure the wider community is protected," it said.

"There continues to be no indication that any personal data has been lost as a result of the ransomware attack on our IT systems."

The ACSC has issued a public warning and has recommended organisations "update antivirus and other security tools".

"There is some evidence that Mailto actors may have used phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the user's address book to spread the malware," it said.
Click to expand...

guest · Feb 10, 2020

Ransomware cripples Havre Public Schools computer system
February 10, 2020
https://www.missoulacurrent.com/business/2020/02/ransomware-havre-schools/

The Havre Public Schools superintendent learned via a phone call early Tuesday that ransomeware had hacked and “crippled” the school district’s computer system.

Superintendent Andy Carlson soon learned that Ryuk ransomware was holding the district’s computer data system hostage.
How much money did the attackers demand?
The long-time superintendent said he didn’t know the precise number. But the amount was so outrageously beyond the district budget that an exact number was irrelevant.

“They’re talking tens of millions of dollars,” Carlson said Friday afternoon, adding that Ryuk wanted the ransom paid in Bitcoins.
The amount Carlson cited is high, even for this particular cybercrime group
Click to expand...

guest · Feb 10, 2020

Ragnar Locker Ransomware Targets MSP Enterprise Support Tools
February 10, 2020
https://www.bleepingcomputer.com/ne...somware-targets-msp-enterprise-support-tools/

A ransomware called Ragnar Locker is specifically targeting software commonly used by managed service providers to prevent their attack from being detected and stopped.
Attackers first began using the Ragnar Locker ransomware towards the end of December 2019 as part of attacks against compromised networks.

What has not been seen in other ransomware, though, is that Ragnar Locker is specifically targeting remote management software (RMM) commonly used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.
These applications are used by an MSP to provide remote support and software management to their clients.
Click to expand...

Minimalist · Feb 12, 2020

Report: The cost of ransomware in 2020. A country-by-country analysis

In The State of Ransomware in the US: Report and Statistics 2019, we examined the number of ransomware attacks on the U.S. public sector and the cost of those attacks. In this report, we will examine the number of attacks on both the public and private sectors for a number of countries and estimate the cost, including the cost of downtime, of those attacks on a country-by-country basis as well as estimate the overall global costs.
Click to expand...

https://blog.emsisoft.com/en/35583/...omware-in-2020-a-country-by-country-analysis/

guest · Feb 12, 2020

Nacogdoches ISD consults city of Garrison after recent ransomware attack
February 12, 2020
https://www.ktre.com/2020/02/12/nac...city-garrison-after-recent-ransomware-attack/

Nacogdoches Independent School District and the city of Garrison are working together to determine whether both entities were hit by the same ransomware attack in recent days.

Russell Wright, the mayor of Garrison, said the city shut down several computers Monday when signs of an attack appeared. By Wednesday, all data was recovered and the city was functioning with no issues.
The same could not be said about Nacogdoches ISD; hundreds of computers remained shut down Wednesday as a precautionary measure. Technicians began looking over servers and even called in a third-party forensics company to determine what data had been backed up.

The district’s insurance will reimburse a portion of the cost to hire third-party companies, though, the district has not said how much that might be.
Click to expand...

Minimalist · Feb 12, 2020

Ransomware meets sextortion: this ransomware demands explicit pics to unlock your data

We just released an updated decryptor for the “Ransomwared” strain of ransomware that can unlock files appended with extensions such as .ransomwared and .iwanttits.

While most ransomware strains require monetary compensation in return for a decryptor, Ransomwared is demanding a more unusual payment.
Click to expand...

https://blog.emsisoft.com/en/35679/...re-demands-explicit-pics-to-unlock-your-data/

Log in or Sign up

Ransomware and Recent Variants

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

FanJ Updates Team

guest Guest

guest Guest

guest Guest

FanJ Updates Team

guest Guest

FanJ Updates Team

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Krusty Registered Member

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Minimalist Registered Member

Log in or Sign up

Ransomware and Recent Variants

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

FanJ Updates Team

guest Guest

guest Guest

guest Guest

FanJ Updates Team

guest Guest

FanJ Updates Team

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Krusty Registered Member

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Minimalist Registered Member

Useful Searches