Tag Archives: ransomware

Global ransomware payments expected to drop by one-third following crackdown on cybercrime.

Posted on by
Reply

Ransomware payments have dropped by over one-third compared to last year, totaling $813 million, as victims are now refusing to pay cybercriminals and law enforcement. The trend has been cracked.

This decline in cyber attacks involves computers or data being blocked with a demand for money to release it, despite notable cases in 2024 in the UK and the US, including the well-known donut company Krispy Kreme and NHS Trust.

Last year’s ransomware payments have decreased from the recorded $1.250 million in 2023, with a research company analyzing payment data and stating that payments dropped significantly in the second half of the year due to actions taken and the resistance to paying cyber criminals.

The total for 2024 was lower than the $1.1 billion recorded in 2020 and 2019, coming in at $999 million. In ransomware attacks, criminals gain access to the victim’s IT system, steal data, encrypt it, and demand a ransom payment in bitcoin to decrypt the files and return the data.

Jacqueline Burns Koven, head of cyber threat intelligence at Chain Dissolving, noted that the decrease in ransomware payments signifies a shift in the ransomware landscape. She mentioned the effectiveness of measures, improvement in international cooperation, and the impact on attackers and victims.

However, Burns Koven cautioned that the downward trend in payments is fragile, and ransomware attacks continue to be prevalent.

Further evidence shows that victims refusing to comply with attackers’ demands lead to an increase in ransomware attacks demands by cyber gangs, exceeding actual payments by 53%.

During the same period, the number of ransom-related “on-chain” payments (terms in the blockchain recording encryption transactions) decreased, indicating less compliance from victims.

One expert mentioned an international operation that successfully took down the Lockbit ransomware gang in February, as well as the disappearance of another cyber criminal group called Blackcat/Alphv.

Lizzy Cookson from a Ransomware-compatible company stated that the current ransomware atmosphere is influenced by newcomers focusing on smaller markets with modest ransom demands.

In the UK, there’s consideration to ban schools, NHS, and local councils from paying ransomware demands. Private companies would need to report payments to the government, which could potentially block them. Reporting ransomware attacks may also become mandatory if legal changes are implemented.

Source: www.theguardian.com

Ransomware group issues warning that UK state is not profitable target | Cybercrime

Posted on by
Reply

Ransomware gangs have targeted the UK state after reports emerged that the British Library successfully withstood a damaging cyberattack without succumbing to the demands of the hackers responsible for the ransomware. The library has made it clear that they did not pay any ransom to the attackers or engage with them in any way.

In a statement released as part of their review of the incident, the library emphasized, “The library has not made any payments to the criminals who carried out the attack nor is it associated with them in any way. Ransomware gangs looking to target publicly funded institutions in the future need to be aware of the UK’s national policy as outlined by the NCSC [National Cyber Security Centre], which clearly prohibits such payments.”

Public institutions around the world, including governments, hospitals, schools, and universities, are frequent targets of ransomware attacks. These attacks often involve encrypting or stealing sensitive data and demanding a ransom for its release or to restore access. Prompt ransom payments have been a common response due to insecure cybersecurity practices and the urgent need to restore operations.

The incident report from the British Library highlights that the National Cyber Security Centre is escalating efforts to combat ransomware threats despite previous government discouragement of ransom payments. The aftermath of the attack has left the library operating below capacity, with research services still incomplete months later.

While the library maintains secure copies of its digital collections, the lack of viable infrastructure for restoration has hindered the recovery process. Efforts to combat ransomware have faced challenges with Russia’s withdrawal from international cybercrime cooperation following its invasion of Ukraine.

Recent crackdowns on ransomware gangs by international law enforcement agencies have shown some success, including the seizure of equipment belonging to the Rockbit gang. However, concerns have been raised by the government’s handling of the ransomware threat, with calls for increased attention and resources to address the growing cyber-attack landscape.

Source: www.theguardian.com

Russian LockBit ransomware hacker launches comeback attempt | Cybercrime

Posted on by
Reply

The LockBit ransomware gang is re-emerging, following a recent international crackdown that severely disrupted its operations.

Based in Russia, the group has created new dark web sites to showcase a few alleged victims and release stolen data. The gang is now under investigation by the National Crime Agency in Britain, as well as the FBI and other law enforcement agencies. This comes after a joint operation led by Europol to target the group last week.

In a statement issued in English and Russian, LockBitSupp, the group’s administrator, claimed that law enforcement agencies hacked their previous dark web site by exploiting vulnerabilities in PHP, a commonly used programming language for websites. They assured that other servers with backup blogs not using PHP would continue leaking data from targeted companies.

The statement also mentioned personal negligence and irresponsibility, along with expressing support for Donald Trump in the U.S. presidential election. The group even offered a job to the individual who hacked their main site. Law enforcement confirmed that LockBitSupp does not reside in the U.S. and is cooperating with authorities.

Despite the disruption, the NCA stated that LockBit remains compromised, but they are vigilant as the group may attempt to reorganize. Additionally, the U.S. has indicted two Russians for deploying LockBit ransomware globally. Ukrainian police also arrested suspects related to attacks carried out using LockBit’s malicious software.

The renewed Rockbit website has issued threats against U.S. government sites and listed more alleged hacking victims. Security experts indicate that the group is attempting to resume operations but will face challenges due to the damage caused by international law enforcement actions.

LockBit operates on a ransomware-as-a-service model, leasing software to criminal organizations in exchange for a cut of the ransom payments. Despite the setback, the group needs to rebuild its reputation within the criminal community to attract affiliates following the recent law enforcement activities.

Ransomware attacks involve hackers infiltrating a target’s system, disabling it with malware, and encrypting files for ransom. Recent trends include extracting sensitive data like personal and customer information and demanding payment in cryptocurrency, mainly Bitcoin, to decrypt files or delete stolen data copies. Last year saw a record $1.1 billion paid in ransomware payments.

Source: www.theguardian.com

VF Corp., owner of Vans and Supreme, reports stolen personal information and affected orders in alleged ransomware attack

Posted on by
Reply

US-based VF Corporation, which owns apparel brands such as Vans, Supreme and The North Face, said a cyberattack affected its ability to fulfill orders ahead of Christmas, one of the year’s biggest retail events. admitted that he had caused it.

A company based in Denver, Colorado said in a filing with federal regulators. The cyberattack, which the company first detected on December 13, was a ransom attack in which hackers “disrupted the company’s operations by encrypting some IT systems and stole data, including personal data, from the company.” It was said that it was hinting at a software attack.

As a result, the company says its operations continue to be disrupted, including its “ability to fulfill orders.”

When TechCrunch tried to place an order on Vans’ website, he was greeted with the following message: You will be notified by email when your item is shipped and can track it with the sender. ”

VF Corporation said in a filing that the retail stores it operates around the world are open and consumers can purchase available products online. It is unclear when orders will be shipped, and a company spokesperson did not provide a timeline.

VF Corp. spokesperson Colin Wheeler provided TechCrunch via email with a statement reflecting the company’s regulatory filings. The company did not respond to TechCrunch’s questions about the incident. Reveal whether the company received a ransom demand from hackers.

The company has not yet disclosed how it was breached, what type of data was accessed, or how many individuals were affected by the breach, including employees, customers, or both. . It’s also unclear who is behind the attack, with the ransomware group being tracked yet to claim responsibility.

VF Corp. warned in a regulatory filing that the cyberattack would have a “significant impact” on its business until its systems are restored. “As the investigation into the incident is ongoing, the full scope, nature and impact of the incident is not yet known,” the filing states.

VF Corp disclosed the incident on the same day that the U.S. Securities and Exchange Commission’s new data breach disclosure rules went into effect. This regulation means that organizations must report cybersecurity incidents, including data breaches, to federal securities regulators. within 4 business days.

Source: techcrunch.com

The Emergence of Extortion as a Growing Ransomware Threat

Posted on by
Reply

Cyber ​​criminals are Their efforts to maximize disruption and force payment of ransom demands have become more aggressive and new extortion tactics are now being implemented.

In early November, the notorious ALPHV ransomware gang, also known as BlackCat, used an unprecedented extortion tactic, weaponizing the U.S. government’s new data breach disclosure rules against one of the gang’s own victims. I tried. ALPHV has filed a complaint with the U.S. Securities and Exchange Commission (SEC), alleging that digital lending provider MeridianLink failed to disclose what the gang calls a “significant breach of customer data and operational information.” did. The gang took the credit..

“We would like to draw your attention to a concerning issue regarding MeridianLink’s compliance with the recently adopted Cybersecurity Incident Disclosure Regulations,” ALPHV wrote. “We are aware that MeridianLink has failed to file the required disclosures under Item 1.05 of Form 8-K within the required four business days, as required by new SEC rules.”

ALPHV’s latest extortion campaign is the first of what is expected to be a trend in the coming months after the rule goes into effect. Although novel, this is not the only aggressive tactic used by ransomware and extortion gangs.

Hackers, typically known for deploying ransomware, are increasingly resorting to “double extortion” tactics, where in addition to encrypting a victim’s data, they also threaten to release stolen files if a ransom demand is not paid. We are transitioning. Some people go further with “.”triple “Extortion” attack. As the name suggests, hackers use her three-pronged approach to extort money from victims by extending blackmail and ransom demands to the original victim’s customers, suppliers, and associates. To do. These tactics have been used by the hackers behind the widespread MOVEit mass hack, marking a significant milestone in the trend of extortion attempts that do not use encryption.

While vague definitions may not seem like the biggest cybersecurity issue facing organizations today, the distinction between ransomware and extortion is important. Especially since defenses against these two types of cyberattacks can be very different. This distinction also helps policy makers learn what ransomware trends are and whether anti-ransomware policies are working.

What is the difference between ransomware and extortion?

Ransomware Task Force I will explain Ransomware is “an evolving form of cybercrime in which criminals remotely infiltrate computer systems and either restore data or demand a ransom in exchange for not releasing the data.”

In reality, ransomware attacks can have far-reaching effects. In an analysis with TechCrunch, ransomware experts Allan Liska, a threat intelligence analyst at Recorded Future, and Brett Callow, a threat analyst at Emsisoft, explained that ransomware, broadly defined, is a collection of content on an insecure Elasticsearch instance. From a “$50 attack” to a devastating “encryption-based attack that poses a life threat to hospitals”.

“But obviously they’re very different animals,” Liska and Callow said. “One is an opportunistic porch pirate who steals Amazon deliveries, and the other is a team of thugs who break into homes, terrorize families, and take away all their possessions.”

Researchers say there are similarities between “encryption and extortion” attacks and “extortion-only attacks,” including their reliance on brokers selling access to compromised networks. But there are also important differences between the two, especially when it comes to victim clients, vendors, and customers, whose own sensitive data may be caught up in an extortion-only attack.

“We’ve seen this play out repeatedly, where attackers organize stolen data to find the largest or most well-known organizations and launch attacks against them. “This is not a new tactic,” Liska and Callow said, noting that one ransomware group claims to have hacked a major technology company, when in fact it hacked a little-known technology vendor. He gave an example of data theft.

“Preventing attackers from encrypting files on your network is one thing, but how do you protect the entire data supply chain?” Liska and Callow said. “In fact, many organizations don’t think about their data supply chain… yet each point in that supply chain is vulnerable to data theft and extortion attacks.”

We need a more precise definition of ransomware

Authorities have long prevented hacked organizations from paying ransom demands, but it’s not always an easy decision for companies victimized by hackers.

In encryption and extortion attacks, companies have the option of paying a ransom demand to obtain the key to decrypt their files. However, if you pay a hacker using aggressive extortion tactics to delete your stolen files, there is no guarantee that the hacker will actually delete them.

This was demonstrated in the recent ransomware attack on Caesars Entertainment, which rewarded hackers in an effort to prevent the release of stolen data. In its own admission, Caesars told regulators that it had “taken steps to ensure that the data stolen by the wrongdoers is deleted, but we cannot guarantee the outcome.”

“In fact, we should assume they won’t do that,” Liska and Callow said, referring to claims that the hackers would delete the data they stole.

“With a better definition of ransomware that accounts for the distinction between different types of attacks, organizations should be able to identify any type of ransomware, whether it occurs within their own network or a third-party network. We will be able to better plan and respond to Were attacks, Liska and Callow said.

Source: techcrunch.com

McLaren Healthcare discloses ransomware attack resulting in 2.2 million patient data theft

Posted on by
Reply

Michigan-based McLaren Healthcare has confirmed that the sensitive personal and health information of 2.2 million patients was compromised in a cyberattack earlier this year. Later, a ransomware gang took credit for the cyberattack.

in New Data Breach Notification McLaren said in a filing with the Maine attorney general that hackers breached its systems over a three-week period from July 28 to Aug. 23, before the health care company noticed it a week later on Aug. 31. He said that he had done so.

According to McLaren, the hackers accessed a wealth of medical information, including patients’ names, dates of birth, and social security numbers, as well as invoices, billing and diagnostic information, prescription and drug details, and information about diagnostic results and treatments. It is said that he did. Medicare and Medicaid patient information was also collected.

McLaren is a healthcare provider with 13 hospitals in Michigan and approximately 28,000 employees. McLaren, which touts cost-efficiency efforts on its website, made more than $6 billion in revenue in 2022.

News of the incident broke in October when the Alphv ransomware group (also known as BlackCat) claimed responsibility for the cyberattack, claiming that millions of patients’ personal information was stolen. day to day after a cyber attack Michigan Attorney General Dana Nessel warned residents that the breach “could potentially impact a large number of patients.”

TechCrunch has reviewed several screenshots posted by ransomware gangs on dark web leak sites, which show the company’s password manager, internal financial statements, some employee information, and patient-related information such as names, addresses, and phone numbers. Confirmed that it showed access to spreadsheets of personal and health information. , social security number, and diagnostic information.

Alphv/BlackCat claimed in the post that the gang had been in contact with McLaren representatives, but provided no evidence of this.

Contacted via email, McLaren spokesperson David Jones declined to comment beyond the company’s official statement or answer our questions about the incident. A spokesperson declined to say whether the company had received any payment requests or paid the hackers. McLaren’s chief information security officer, George Goble, declined to make him available for an interview.

What McLaren is currently facing is At least 3 class action lawsuits In connection with cyber attacks.

Source: techcrunch.com