Tag: Crew | SpinSafe

US-Canada water org confirms ‘cybersecurity incident’ after ransomware crew threatens leak • The Register

September 15, 2023/in Internet Security

The International Joint Commission, a body that manages water rights along the US-Canada border, has confirmed its IT security was targeted, after a ransomware gang claimed it stole 80GB of data from the organization.

“The International Joint Commission has experienced a cybersecurity incident, and we are working with relevant organizations to investigate and resolve the situation,” a spokesperson for the org told The Register.

The spokesperson declined to answer specific questions about what happened, or confirm the miscreants’ data theft claims.

IJC is a cross-border water commission tasked with approving projects that affect water levels of the hundreds of lakes and rivers along the US-Canada border. It also resolves disputes over waters shared between the two countries.

On September 7, the NoEscape ransomware crew listed IJC as a victim on its dark-web site, and claimed it breached the commission’s network, and then stole and encrypted a flood of confidential data. This info, according to the crooks, included contracts and legal documents, personal details belonging to employees and members, financial and insurance information, geological files, and “much other confidential and sensitive information.”

The cyber-crime gang has given the IJC ten days to respond to its ransom demand, or it may make the swiped info public.

“If management continues to remain silent and does not take the step to negotiate with us, all data will be published,” the NoEscape leak notice threatened. “We have more than 50,000 confidential files, and if they become public, a new wave of problems will be colossal. For now, we will not disclose this data or operate with it, but if you continue to lie further, you know what awaits you.”

The IJC spokesperson contacted by The Register declined to comment on the ransom demand or if the commission would pay.

Who is NoEscape?

NoEscape is a ransomware-as-a-service operation that appeared in May and takes a double-extortion approach. That means instead of simply infecting victims’ machines with malware, encrypting their files and demanding a ransom to release the data, the crooks first steal the files before locking them up. They threaten to…

Source…

Ransomware crew claims to have hit Save The Children • The Register

September 12, 2023/in Internet Security

Cybercrime crew BianLian claims to have broken into the IT systems of a top non-profit and stolen a ton of files, including what the miscreants claim is financial, health, and medical data.

As highlighted by VX-Underground and Emsisoft threat analyst Brett Callow earlier today, BianLian bragged on its website it had hit an organization that, based on the gang’s description of its unnamed victim, looks to be Save The Children International. The NGO, which employs about 25,000 people, says it has helped more than a billion kids since it was founded in 1919.

BianLian added that its victim, “the world’s leading nonprofit,” operates in 116 countries with $2.8 billion in revenues. The extortionists claim to have stolen 6.8TB of data, which they say includes international HR files, personal data, and more than 800GB of financial records. They claim to also have email messages as well as medical and health data.

Presumably BianLian intends to leak or sell this info if a ransom demand is not met. The NGO did not immediately respond to The Register‘s inquiries.

We should note The Register has not been able to verify the crooks’ claims. But we tend to agree with VX-Underground, which opined: “BianLian ransomware group needs to be punched in the face.” And while breaking into and extorting a nonprofit whose focus is to make children “healthier, safer and better educated” seems beneath even the most tragic of cyber-criminals, it’s pretty much par for the course with BianLian.

The crew, which has been around since June 2022, has made a name for itself by targeting healthcare and critical infrastructure sectors.

While BianLian started off as a double-extortion ransomware crew — steal data, encrypt systems, and threaten to leak files and not provide a decryption key unless the victim pays a ransom — earlier this year, they shifted to pure extortion, as before but minus the encryption, according to government and…

Source…

BianLian ransomware crew goes 100% extortion after free decryptor lands • The Register

March 19, 2023/in Computer Security

The BianLian gang is ditching the encrypting-files-and-demanding-ransom route and instead is going for full-on extortion.

Cybersecurity firm Avast’s release in January of a free decryptor for BianLian victims apparently convinced the miscreants that there was no future for them on the ransomware side of things and that pure extortion was the way to go.

“Rather than follow the typical double-extortion model of encrypting files and threatening to leak data, we have increasingly observed BianLian choosing to forgo encrypting victims’ data and instead focus on convincing victims to pay solely using an extortion demand in return for BianLian’s silence,” threat researchers for cybersecurity company Redacted wrote in a report.

A growing number of ransomware groups are shifting to relying more on extortion than data encryption. However, it seems the impetus for this gang’s move was that Avast tool.

When the security shop rolled out the decryptor, the BianLian group in a message on its leak site boasted that it created unique keys for each victim, that Avast’s decryption tool was based on a build of the malware from the summer of 2022, and that it would terminally corrupt files encrypted by other builds.

The message has since been taken down and BianLian changed some of its tactics. That includes not only moving away from ransoming the data, but also how the attackers post masked details of victims on their leak site to prove they have the data in hand in hopes of further incentivizing victims to pay.

Masking victim details

That tactic was in their arsenal before the decryptor tool was available, but “the group’s use of the technique has exploded after the release of the tool,” Redacted researchers Lauren Fievisohn, Brad Pittack, and Danny Quist, director of special projects, wrote.

Between July 2022 and mid-January, BianLian posted masked details accounted for 16 percent of the postings to the group’s leak site. In the two months since the decryptor was released, masked victim details were in 53 percent of the postings. They’re also getting the masked details up on the leak site even faster, sometimes within 48 hours of the compromise.

The group also is doing its research…

Source…

Ziggy Ransomware Crew Quits Business, Refunds Victims’ Stolen Money

April 5, 2021/in Internet Security

by D. Howard Kass • Apr 5, 2021

The Ziggy ransomware crew, which ostensibly quit the business in early February 2021 over a fit of remorse, said it will return to their victims the money they’ve extorted merely for an email containing proof of payment.

So, if you’ve paid the cyber crime perps any money in a ransom ploy just calculate the amount in Bitcoin and the computer ID and your money will be shuttled off to the Bitcoin wallet in about two weeks, said Ziggy’s admin, who reportedly has spoken with ThreatPost and BleepingComputer. Bitcoin value on the day of payment would be the basis to calculate the refund.

The Ziggies apparently feared law endorsement repercussions if they continued their cyber kidnappings, the Ziggy rep told Threatpost. “Hello dear. Yes, I’m Ziggy ransomware developer. We decided to return victims’ money because we fear law enforcement action,” the person told Threatpost.

They have a point. In January 2021, international law enforcement and judicial authorities in eight countries dismantled the Emotet botnet, widely regarded as the world’s most dangerous and notorious malware operation, taking it down from the inside by redirecting hundreds of infected machines to a law enforcement environment.

At the same time, the U.S. Justice Department said it had hit the NetWalker ransomware syndicate, which operates as a ransomware-as-a-service model, by seizing nearly $500,000 in cryptocurrency from ransom payments and disabling a dark web hidden resource used to communicate with the gang’s victims. Ziggy’s withdrawal amounts to a victory for law enforcement, which has repeatedly said that an accumulation of indictments and actions to gut hackers’ infrastructure would discourage further attacks.

Ziggy reportedly propagated garden variety ransomware, picking on computers to encrypt files and then demanding a sum of money to reverse their handiwork. The cyber kidnappers evidently didn’t steal files. According to Threatpost, Ziggy has released more than 900 decryption keys, which will unlock the victims’ files. There’s a bit of a catch to the whole thing. Using the sullied money, Ziggy made a couple of bucks. When Ziggy released…

Source…

Tag Archive for: Crew

Who is NoEscape?

Masking victim details