Ransomware Gangs threaten to sell or publish Victims' Data if Not Paid

guest · Jul 22, 2020

mood said: ↑

Cloud provider stopped ransomware attack but had to pay ransom demand anyway
BlackBaud said it had to pay a ransom demand to ensure hackers would delete data they stole from its network
July 17, 2020
https://www.zdnet.com/article/cloud...e-attack-but-had-to-pay-ransom-demand-anyway/
Click to expand...

University of York Investigating Data Theft Incident
July 22, 2020
https://www.infosecurity-magazine.com/news/university-york-investigating/

The University of York has launched an investigation after it had personal details of staff and students stolen by hackers.

As outlined in a statement on the university’s website, the source of the breach was an attack on a third-party service provider, tech firm Blackbaud, which fell victim to ransomware in May 2020. The University of York was first informed of the incident on July 16.

“The cyber-criminal was able to remove a copy of a subset of data from a number of their [Blackbaud’s] clients. This included a subset of University of York data.”
Click to expand...

However, it said that a Backbaud investigation found that no encrypted information, such as bank account details or passwords were accessed, whilst no credit card information formed part of the data theft either.

“We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cyber-criminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cyber-criminal that the data had been destroyed,” the statement continued.
Click to expand...

guest · Jul 24, 2020

Blackbaud Breach Hits Nine More Universities
July 24, 2020
https://www.infosecurity-magazine.com/news/blackbaud-breach-hits-nine-more/

A combined ransomware and data breach attack on a US cloud computing provider in May has affected many more universities and non-profits than at first thought.

Infosecurity reported on Wednesday how the University of York in northern England had notified affected staff and students that their personal details may have been compromised as a result of the incident at Blackbaud two months ago.
However, the list of affected Blackbaud customers now stretches to 12, including several more universities in the UK and North America, plus Human Rights Watch and mental health charity Young Minds, according to the BBC.
Click to expand...

Cath Goulding, CISO at Nominet, argued that it was “worrying” that the firm had paid the ransom, against general best practice advice, adding that this could encourage future attacks.

“Once again, multiple parties have been exploited through a common component in their supply chain. This demonstrates the multiplier effect of supply chain hacks and reinforces the advice that security needs to be a collaborative exercise across organizations and between them,” she said.
Despite paying the ransomware attackers in this case, Blackbaud maintains that it follows “industry standard best practices.” It has reportedly refused to reveal the full list of clients affected by this breach out of privacy concerns.
Click to expand...

guest · Jul 24, 2020

Spanish state-owned railway infrastructure manager ADIF infected with ransomware
July 24, 2020
https://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html

Administrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastructure manager was hit by REVil ransomware operators.
ADIF (Administrador de Infraestructuras Ferroviarias) is charged with the management of most of Spain’s railway infrastructure, that is the track, signaling and stations.

The company has over 13,000 employees for a revenue of around $8 Billion.
The hackers claimed to have stolen 800GB of data including correspondence and contracts.
Click to expand...

As proof of the attack, REVil ransomware operators have posted a sample of data files exfiltrated from the company. If ADIF will refuse to pay the ransom, REvil ransomware operators will leak their confidential data online.

“Simultaneously with the publication, the third attack will follow,” the reads a message posted on their leak site. “We will continue to download your data until you contact us.”
Adif confirmed to IRJ that it has suffered a ransomware attack and added that its internal security services immediately mitigated it.
Click to expand...

guest · Jul 26, 2020

Sydney strata management firm Strata Plus hit by Maze ransomware
July 25, 2020
https://www.itwire.com/security/syd...-firm-strata-plus-hit-by-maze-ransomware.html

The gang has used the Maze website to provide an indication that it has carried out an attack, but says proof will only be available later.
The Sydney-based firm provides tailored management solutions for strata and community schemes, and building management committees, according to its website.

Other attacks of note have been on the Texas foundry group X-FAB, a Thailand power authority, the Belgian accounting firm HLB and the global defence group ST Engineering.
There were also claims of a Maze attack on South Korea's LG group, but these were called into question by Emsisoft ransomware threat researcher Brett Callow who described the group as a "bunch of lowlifes", adding that lowlifes were not known for their honesty.
Click to expand...

Callow added that it now looked like these groups could be auctioning data from old attacks that happened before they launched their leak site, all tactics that seemed to indicate desperation.
Click to expand...

guest · Jul 28, 2020

SEI Investments customer data exposed in ransomware attack on vendor
July 27, 2020
https://www.scmagazine.com/home/sec...-data-exposed-in-ransomware-attack-on-vendor/

A May ransomware attack on M.J. Brunner Inc. exposed data pertaining to clients of SEI Investments Co., among them money managers like Pacific Investment Management Co. (Pimco), Fortress Investment Group LLC and Centerbridge Partners.

SEI Investments said in a statement that the attack was not the result of any flaw in its network. Instead, the fault stemmed from a hack at vendor M.J. Brunner, which developed and maintains the investment company’s dashboard as well as its online enrollment portal, according to a Wall Street Journal report, citing sources who said user names, emails and some physical addresses and phone numbers were nicked from the provider.

“We take our clients’ security very seriously, and we are working with Brunner, the Federal Bureau of Investigation and our impacted clients to understand the extent to which SEI’s or our clients’ data has been exposed,” the spokesperson said.
The incident also highlights the dangers posed by ever more common supply chain attacks.
Click to expand...

Major hedge fund sees customers' personal data stolen by hackers

Data published online after service provider refused to pay ransom
According to ZeroHedge, a hacking group called RagnarLocker published a full data dump (over 570GB) obtained from the attack at mazenews[DOT]top, a site linked with phishing attempts. The data published includes usernames and passwords, as well as SQL files with live client data.
Click to expand...

guest · Jul 28, 2020

Nefilim ransomware operators leaked data alleged stolen from the Dussmann group
July 28, 2020
https://securityaffairs.co/wordpress/106487/data-breach/dussmann-group-nefilim-ransomware.html

Researchers from threat intelligence firm Cyble reported that Nefilim ransomware operators allegedly targeted the Dussmann group, the German largest private multi-service provider. The Dussmann Group has over 64,500 employees in 22 countries, it is one of the largest private multi-service providers worldwide.

During its continuous darkweb and deepweb monitoring, the Cyble Research Team came across the post of Nefilim ransomware operators in which the crew claimed to have breached The Dussmann Group and have exfiltrated sensitive data.
Below the message published by Nefilim ransomware operators to announce the data breach: [...]
Click to expand...

“The data leak seems to consist of corporate operational documents which include the company’s claim settlement documents, compulsory security mortgages documents, legal contracts, Cooperation and Project agreements, and much more.” reads the post published by Cyble.
The ransomware gang is now threatening the company of releasing other stolen data if it will not pay the ransom.
Click to expand...

guest · Jul 28, 2020

National Trust joins victims of Blackbaud hack
July 28, 2020
https://www.bbc.co.uk/news/technology-53567699

Others involved include homeless charities The Wallich and Crisis, the terminal illness charity Sue Ryder, and the mental health group Young Minds.
The UK's Information Commissioner's Office (ICO) told the BBC that 125 organisations had reported to it in relation to the incident "so far".
They include dozens of universities.

"BlackBaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries," a spokeswoman for the ICO said.
Click to expand...

Ransomware payment
Blackbaud has said that it became aware of the matter in May, and subsequently paid the attackers a ransom.
Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert questioned whether such an assurance could be trusted.
Click to expand...

guest · Jul 29, 2020

FBI warns of Netwalker ransomware targeting US government and orgs
July 29, 2020
https://www.bleepingcomputer.com/ne...-ransomware-targeting-us-government-and-orgs/

The FBI has issued a security alert about Netwalker ransomware operators targeting U.S. and foreign government organizations, advising their victims not to pay the ransom and reporting incidents to their local FBI field offices.
FBI's flash alert also provides indicators of compromise associated with the Netwalker ransomware (also known as Mailto) and includes a list of recommended mitigation measures.
Exploiting pandemic fears and software vulnerabilities
Starting with April 2020, Netwalker began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims' networks.

"Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935)," the FBI says.
Click to expand...

Recommended mitigation measures
Organizations can drastically lower the chances of becoming a Netwalker victim by using multi-factor authentication (MFA) with strong passwords and keeping all devices and software on their networks up to date.
Click to expand...

guest · Jul 31, 2020

'Payment sent' - travel giant CWT pays $4.5 million ransom to cyber criminals
July 31, 2020
https://in.reuters.com/article/us-c...llion-ransom-to-cyber-criminals-idINKCN24W25W

U.S. travel management firm CWT paid $4.5 million this week to hackers who stole reams of sensitive corporate files and said they had knocked 30,000 computers offline, according to a record of the ransom negotiations seen by Reuters.

The attackers used a strain of ransomware called Ragnar Locker, which encrypts computer files and renders them unusable until the victim pays for access to be restored.
The ensuing negotiations between the hackers and a CWT representative remained publicly accessible in an online chat group, providing a rare insight into the fraught relationship between cyber criminals and their corporate victims.
Click to expand...

DIGITAL RANSOM NOTE
The hackers initially demanded a payment of $10 million to restore CWT’s files and delete all the stolen data, according to the messages reviewed by Reuters. “It’s probably much cheaper than lawsuits expenses (sic), reputation loss caused by leakage,” the attackers wrote on July 27.

In a ransom note left on infected CWT computers and screenshots posted online, the hackers claimed to have stolen two terabytes of files, including financial reports, security documents and employees’ personal data such as email addresses and salary information.
Click to expand...

The Register: First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

It appears that Carlson Wagonlit may have paid a ransom demand in excess of 400 Bitcoins, or $4.5m at current rates – a sum its $1.5bn annual revenues may have been able to absorb without too much trouble. A Twitter user posted the first indication of a breach, as well as the ransom, on Thursday: [...]

Carlson Wagonlit, which recently rebranded itself CWT, provides travel and hotel booking services on what it calls a B2B2E basis – business to business to employee.
Click to expand...

Updated to add
The Information Commissioner's Office got in touch to let us know: "Carlson Wagonlit UK Ltd have reported an incident to us. We will be assessing the information provided."
Click to expand...

guest · Aug 3, 2020

More data breaches from ransomware attacks in Australia
August 3, 2020
https://www.computerweekly.com/news...breaches-from-ransomware-attacks-in-Australia

Ransomware attacks were one of the top causes of data breaches in Australia during the first half of this year, according to the latest statistics report from the Office of the Australian Information Commissioner (OAIC).

According to the report, the number of data breaches caused by ransomware rose from 13 in the previous six-month period to 33 between January and June.

“We are now regularly seeing ransomware attacks that export or exfiltrate data from a network before encrypting the data on the target network, which is also of concern,” she said.
“This trend has significant implications for how organisations respond to suspected data breaches – particularly when systems may be inaccessible due to these attacks.
Click to expand...

guest · Aug 3, 2020

Aged care operator's sensitive data stolen in foreign cyber attack
August 3, 2020
https://www.smh.com.au/business/com...n-in-foreign-cyberattack-20200803-p55hxl.html

ASX-listed aged care operator Regis has been hit by an international cyber attack that has led to the release of sensitive personal data, adding to the woes of the company which is battling a coronavirus outbreak at one of its Melbourne centres.

The $400 million operator told investors on Monday an "overseas third party" was responsible for an attack on its operations resulting in data being copied from its servers and publicly released. The incident has not disrupted its services, the company said.

"The company is contacting parties whose personal data has been publicly released," Regis said in a statement.
A file of documents seemingly related to the company's Burnside facility in Adelaide was posted to a public website over the weekend.
Click to expand...

The federal Australian government's cyber security centre issued a "critical" warning on Sunday that ransomware known as Maze is threatening aged care facilities across the country.

"The ‘Maze’ ransomware is designed to lock or encrypt an organisation’s valuable information so that it can no longer be used and has been observed being used alongside other tools which steal important business information," the centre said in an update on Sunday.
Click to expand...

guest · Aug 3, 2020

Textile Cutting Expert ‘Lectra’ Struck by the Maze Ransomware Group
The ransomware group has already leaked 5% of the stolen data, and they are threatening to release more soon
August 1, 2020
https://www.technadu.com/textile-cutting-expert-lectra-struck-maze-ransomware-group/164542/

The Paris-based CAD, CAM, software, and textile cutting equipment firm ‘Lectra’ has been compromised by the Maze ransomware group. As confirmed by the Cyble research team, the prolific group of actors has already published 5% of the data they stole from the company’s systems, in the context of the typical coercion procedure.

The leak contains screenshots taken during the breach, showing which drives have been exfiltrated by the actors. All in all, there are invoices, financial documents, client details, system details, and many more sensitive details in the leak.
Lectra is a big player in the field, employing 1,650 people and having a yearly income of about $30 million.
Click to expand...

What is particularly interesting in this case is that it’s the fourth recent ransomware attack on a big French company. This month alone, Netwalker has breached Axens SA and Rabot Dutilleul, while Nefilim operators struck Orange S.A., a big telco in the country. All of this could be unconnected, although it’s very likely that malicious actors exchange info, help each other, and generally move in some level of coordination
Click to expand...

guest · Aug 3, 2020

NetWalker ransomware gang has made $25 million since March 2020
August 3, 2020
https://www.zdnet.com/article/netwalker-ransomware-gang-has-made-25-million-since-march-2020/

The operators of the NetWalker ransomware are believed to have earned more than $25 million from ransom payments since March this year, security firm McAfee said today.

Although precise and up-to-date statistics are not available, the $25 million figure puts NetWalker close to the top of the most successful ransomware gangs known today, with other known names such as Ryuk, Dharma, and REvil (Sodinokibi).
McAfee, who recently published a comprehensive report about NetWalker's operations, was able to track payments that victim made to known Bitcoin addresses associated with the ransomware gang.
A SHORT INTRO AND HISTORY TO NETWALKER
NetWalker, as a ransomware strain, first appeared in August 2019. In its initial version, the ransomware went by the name of Mailto but rebranded to NetWalker towards the end of 2019. [...]
Click to expand...

McAfee: Take a “NetWalk” on the Wild Side

Conclusion
The recent shift to a business-centric model of Ransomware-as-a-Service is a clear sign that it is stepping up, so it seems that the NetWalker group is following in the footsteps of REvil and other successful RaaS groups.
As development of the ransomware continues, we have witnessed recent shifts in activity that closely follow in the footsteps of other ransomware developments, including threatening victims with the release of confidential information if the ransom is not met.
Click to expand...

guest · Aug 4, 2020

Ransomware gang publishes tens of GBs of internal data from LG and Xerox
August 4, 2020
https://www.zdnet.com/article/ranso...ns-of-gbs-of-internal-data-from-lg-and-xerox/

The operators of the Maze ransomware have published today tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts.

The hackers leaked 50.2 GB they claim to have stolen from LG's internal network, and 25.8 GB of Xerox data.
While LG issued a generic statement to ZDNet in June, neither company wanted to talk about the incident in great depth today.

If a victim refuses to pay the fee to decrypt their files and decides to restore from backups, the Maze gang creates an entry on a "leak website" and threatens to publish the victim's sensitive data in a second form ransom/extortion attempt.
Click to expand...

LG INCIDENT AND DATA
ZDNet has been tracking both incidents since they've been initially announced on the Maze website in late June.

"We decided not to execute [the] Maze [ransomware] because their clients are socially significant and we do not want to create disruption for their operations, so we only have exfiltrated the data," the Maze gang told ZDNet via a contact form on their leak site.
XEROX INCIDENT AND DATA
But while we have somewhat of an idea of what happened with the Maze attack on LG, things are a lot murkier when it comes to Xerox.
Click to expand...

guest · Aug 6, 2020

Netwalker ransomware operators claim to have stolen data from Forsee Power
August 6, 2020
https://securityaffairs.co/wordpress/106833/malware/forsee-power-netwalker-ransomware.html

A new company has been added to the list of the victims of the Netwalker ransomware operators, it is Forsee Power, which provides advanced lithium-ion battery systems for any mobility application.
The industrial group is based in France and in the US USA, it is one of the market leaders in Europe, Asia, and North America with annual revenue of around $65 million and over 200 employees.

Recently Cyble threat research group came across another disclosure from the Netwalker group that announced to have stolen sensitive data from Forsee Power.
Netwalker ransomware operators announced the attack with a message posted on their online blog and shared a few screenshots as proof of the security breach.
Click to expand...

guest · Aug 7, 2020

Blackbaud Breach Impacts National Trust Volunteers
August 7, 2020
https://www.infosecurity-magazine.com/news/blackbaud-breach-impacts-national/

Britain's National Trust has warned volunteers of a data breach linked to a cyber-attack on US cloud computing and software provider Blackbaud in May.

National Trust data exposed as a result of the ransomware attack on Blackbaud belongs to past and present volunteers and applicants for the trust's volunteer program.
Compromised information includes name, date of birth, gender, address, and contact details. The Trust assured its volunteers that while some sensitive information pertaining to equality monitoring was affected, no financial data was exposed.

In an August 7 email to users of its volunteer program, the National Trust's CIO, Jon Townsend, wrote: "Our membership systems and data were not affected."
Click to expand...

In the August 7 breach notification email, Townsend wrote: "On 16 July 2020 we were contacted by Blackbaud, the company that holds some of our volunteering data, to tell us that they’d been the victim of a cyber-attack."
Townsend told Trust volunteers that no action was required from them and apologized for any concern that may have been caused by the breach.
Click to expand...

guest · Aug 10, 2020

Avaddon ransomware launches data leak site to extort victims
August 10, 2020
https://www.bleepingcomputer.com/ne...re-launches-data-leak-site-to-extort-victims/

Avaddon ransomware is the latest cybercrime operation to launch a data leak site that will be used to publish the stolen data of victims who do not pay a ransom demand.

Since the Maze operators began publicly leaking files stolen in ransomware attacks, other operations soon followed suit and began creating data leak sites to publish stolen files.
These sites are designed to scare victims into paying a ransomware under threat that their files will be leaked to the public.
Click to expand...

Cybersecurity intelligence firm Kela has told BleepingComputer that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum this weekend that they have launched a new data leak site.
At this time, there is only one entry on their site, where they leak 3.5MB of documents stolen from a construction company.

The attackers are hoping that the extra costs associated with data breaches and the potential reputational harm may push more victims into paying the ransom.
Click to expand...

guest · Aug 11, 2020

Ransomware Reportedly Hits Ventilator Maker
August 10, 2020
https://www.inforisktoday.com/ransomware-reportedly-hits-ventilator-maker-a-14801

A manufacturer of transit communication systems that pivoted to build ventilators during the COVID-19 pandemic is reportedly the latest victim of the DoppelPaymer ransomware gang.

Boyce Technologies Inc., based in Long Island City, New York, was targeted by the ransomware gang, which has threatened to leak data stolen in the incident unless the company pays a ransom, according to the news site Cointelegraph.
Boyce Technologies did not immediately respond to an ISMG request for comment on the alleged ransomware incident.
Click to expand...

guest · Aug 11, 2020

Nefilim ransomware operators claim to have hacked the SPIE group
August 10, 2020
https://securityaffairs.co/wordpress/106969/malware/nefilim-ransomware-spie-group.html

Researchers from threat intelligence firm Cyble reported that Nefilim ransomware operators allegedly hacked The SPIE Group, an independent European leader in multi-technical services.

During darkweb and deepweb monitoring, the Cyble Research Team discovered a post from Nefilim ransomware operators in which they claimed to have breached The SPIE Group.
The ransomware gang also revealed to have stolen the company’s sensitive data.
Click to expand...

Nefilim ransomware operators also released the first batch of file threatens to release other documents. Cyble experts analyzed the material, the first lot of data contains around 11.5 GB.

“The data leak seems to consist of corporate operational documents which include the company’s telecom services contracts, dissolution legal documents, power of attorney documents, infrastructure group reconstructions contracts, and much more.” reported Cyble.
The Nefilim ransomware operators released a total of 65,042 files contained in 18,551 data folders.
Click to expand...

guest · Aug 15, 2020

U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen
August 15, 2020
https://www.bleepingcomputer.com/ne...-giant-hit-by-cyberattack-1tb-of-data-stolen/

Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyber attack. The intruders allegedly copied 1TB of confidential data; they plan on selling to the highest bidder the most important info and leak the rest.
Documents old and new, backups
Sodinokibi (REvil) ransomware operators announced on Friday that they had compromised Brown-Forman's computer network and spent more than a month examining user services, cloud data storage, and general structure.
Following the incursion, the attackers claim they stole 1TB of data that includes confidential information about employees, company agreements, contracts, financial statements, and internal correspondence.

In a post on their leak site, REvil published multiple screenshots with directory trees, files with names that appear to support their claims, and internal conversations between some employees. The pics show documents dating as far back as 2009.
Click to expand...

Ransomware failed to encrypt devices
"Unfortunately, we believe some information, including employee data, was impacted. We are working closely with law enforcement, as well as world-class third-party data security experts, to mitigate and resolve this situation as soon as possible," the Brown-Forman spokesperson told us.

At this moment, there are no active negotiations with the attacker, the company told BleepingComputer.
Although the final step in a ransomware attack is to encrypt data, REvil did not get to deploy this routine.
Click to expand...

"We still believe in the prudence of BROWN-FORMAN and are waiting for them to continue their discussion of a way out of this situation" - REvil posted.
Click to expand...

guest · Aug 17, 2020

Blackbaud ransomware attack exposed donor data from two UK charities
August 17, 2020
https://portswigger.net/daily-swig/...tack-exposed-donor-data-from-two-uk-charities

Another UK charity has confirmed that the personal data of its donors has been compromised as a result of the Blackbaud ransomware attack earlier this year.

Mines Advisory Group (MAG), a Manchester, UK-based non-profit involved in the clearance of landmines in war-torn countries, informed donors via email last week that their data may have been accessed by an unauthorized third party.
The announcement is the latest in a long line of data breach warnings from organizations who were impacted by a cyber-attack against Blackbaud, a provider of third-party customer relationship management software.

“Blackbaud informed us on July 16 that they had discovered and stopped a ransomware attack in May this year, successfully preventing a cybercriminal from taking control of their system and encrypting files,” the email from MAG reads.
Click to expand...

MAG’s announcement comes just two weeks after another Manchester-based charity, The Christie, informed supporters that it had been a victim of the Blackbaud breach.
The Christie, which provides cancer treatments for NHS patients, sent an email to donors on July 31 admitting that their data may have been exposed.

“We believe that your name and the contact information you shared with us may have been accessed,” the email reads.
Click to expand...

guest · Aug 17, 2020

World's largest cruise line operator Carnival hit by ransomware
August 17, 2020
https://www.bleepingcomputer.com/ne...ise-line-operator-carnival-hit-by-ransomware/

Cruise line operator Carnival Corporation has disclosed that one of their brands suffered a ransomware attack over the past weekend.
Carnival Corporation is the largest cruise operator in the world with over 150,000 employees and 13 million guests annually.

In an 8-K form filed with the Securities and Exchange Commission (SEC), Carnival Corporation has disclosed that one of its brands suffered a ransomware attack on August 15th, 2020.

"On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files," the cruise line operator stated in their filing.
Click to expand...

As part of the attack, Carnival states data was likely stolen and could lead to claims from those affected by the potential data breach.

"Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies,"
The filing does not indicate the ransomware operation that compromised their network, and there are close to twenty different gangs that steal data as part of their attacks.
Click to expand...

guest · Aug 20, 2020

University of Utah pays $450K ransom to stop leak of stolen data
August 20, 2020
https://www.bleepingcomputer.com/ne...pays-450k-ransom-to-stop-leak-of-stolen-data/

The University of Utah has paid a $457,000 ransomware to prevent threat actors from releasing files stolen during a ransomware attack.

In a 'data security incident' notification posted today, the University of Utah disclosed that they were attacked by ransomware on Sunday, July 19, 2020.

"On Sunday, July 19, 2020, the university’s College of Social and Behavioral Science (CSBS) was notified by the university’s Information Security Office (ISO) of a ransomware attack on CSBS computing servers. Content on the compromised CSBS servers was encrypted by an unknown entity and no longer accessible by the college," the University of Utah disclosed.
The attack encrypted the servers in the university's College of Social and Behavioral Science (CSBS) department. As part of the attack, the threat actors stole unencrypted data before encrypting computers.
Click to expand...

As the stolen data contained student and employee information, the university decided to pay the ransom to prevent it from being leaked.

"After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet," stated in their data security incident notification.
Click to expand...

guest · Aug 21, 2020

DarkSide: New targeted ransomware demands million dollar ransoms
August 21, 2020
https://www.bleepingcomputer.com/ne...ed-ransomware-demands-million-dollar-ransoms/

A new ransomware operation named DarkSide began attacking organizations earlier this month with customized attacks that have already earned them million-dollar payouts.

Starting around August 10th, 2020, the new ransomware operation began performing targeted attacks against numerous companies.
In a "press release" issued by the threat actors, they claim to be former affiliates who had made millions of dollars working with other ransomware operations.

DarkSide states that they only target companies that can pay the specified ransom as they do not "want to kill your business."
Click to expand...

From victims seen by BleepingComputer, DarkSide's ransom demands range from $200,000 to $2,000,000. These numbers can likely be more or less depending on the victim.
DarkSide steals data before encrypting victims
Like other human-operated ransomware attacks, when the DarkSide operators breach a network, they will spread laterally throughout a network until they gain access to an administrator account and the Windows domain controller.

While they spread laterally, the attackers will harvest unencrypted data from the victim's servers and upload it to their own devices.
This stolen data is then posted to a data leak site under their control and used as part of the extortion attempt.
Click to expand...

DarkSide states that if a victim does not pay, they will publish all of the data on their website for at least six months.
This extortion strategy is designed to scare a victim into paying the ransom even if they can recover from backups.
Click to expand...

guest · Aug 23, 2020

Thanks for the memories... now pay up or else: Maze ransomware crew claims to have hacked SK hynix, leaks '5% of stolen files'
More expected to leak unless extortionists are paid off
August 20, 2020
https://www.theregister.com/2020/08/20/maze_crew_sk_hynix/

The Maze hacker gang claims it has infected computer memory maker SK hynix with ransomware and leaked some of the files it stole.

The South Korean semiconductor giant could not be reached for comment. For what it's worth, the Maze crew doesn't tend to need to fib about these sort of things. When it claims to have infiltrated a victim – and it has pwned a great deal of organizations lately – it usually publicly shares data stolen from the compromised network as proof.
Click to expand...

A 570MB ZIP archive is provided as a download from the Maze site. It is supposedly just five per cent of the total amount siphoned from SK hynix, which suggests as much as 11GB was stolen by the gang after breaking into the corp's networks and before scrambling its files to hold them to ransom.
According to one person who has viewed the archive's contents, it appears to contain confidential NAND flash supply agreements with Apple [...]

For those unfamiliar, Maze offers something of a new take on the old ransomware racket.
Those that fail to meet the ransom demands have their corporate secrets handed out to the public.
Click to expand...

Cyble: One of the world’s largest chipmakers Got Allegedly Breached by Maze Ransomware Operators

The Cyble Research Team identified and analyzed the data leak of around 630 MB. The data leak includes sensitive corporate operational documents such as the company’s internal email conversations, administrative committee meeting minutes documents, service agreements, orders shipment invoices, legal juridical documents, and much more. Below are snapshots of the data leak being released by Maze ransomware operators-: [...]
Click to expand...

Log in or Sign up

Ransomware Gangs threaten to sell or publish Victims' Data if Not Paid

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Ransomware Gangs threaten to sell or publish Victims' Data if Not Paid

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches