Tag Archive for: Disrupted

Ragnar Locker site disrupted in international law enforcement crackdown

/in


CyberScoop reports that the Ragnar Locker ransomware group, also known as Viking Spider, had its data leak site seized by the FBI and 15 other law enforcement agencies around the world as part of an international crackdown against ransomware infrastructure.

No further information regarding the extent of the takedown operations against the ransomware gang was provided but Ragnar Locker, which emerged in 2019, was noted by CrowdStrike Senior Vice President of Counter Adversary Operations Adam Meyers to be among the first ransomware groups that targeted corporations and other major entities to obtain significant payouts.

Ragnar Locker had 100 organizations across 27 industries listed on its data leak site prior to the disruption, Meyers said.

Such dismantling of Ragnar Locker’s leak site comes after sanctions against TrickBot members and the disruption of the Hive ransomware operation, as well as the thwarting of Russia’s CyclopsBlink botnet and Chinese attacks against Microsoft Exchange servers.

Source…

Data exposed in Des Moines schools ransomware attack that disrupted district

/in


Des Moines Public Schools says some data was exposed in a confirmed ransomware attack that caused major disruptions in early January and canceled school for two days.

They’re just not saying what data — at least for now.

Interim Superintendent Matt Smith confirmed Friday the data compromise during the cyberattack but said the district is still investigating. Those affected by the data breach will receive a notification letter, he said. No timeline has been set.

“We’re still gathering the information on exactly the who and the what of that exposure of that information,” Smith said. “But as that information is becoming available, we’ll be reaching out to those individuals specifically, again, by U.S. Mail.”

Smith declined to say what new cybersecurity features were implemented because it could make the district vulnerable to another attack.

“I can tell you that we take it very, very seriously, and we are taking the necessary steps to ensure that any vulnerability that we may have is being shored up,” Smith said. “I can’t go into any more details other than that.”

On the morning of Jan. 9, IT staff at Iowa’s largest school district took 71 buildings — including 63 schools and the virtual secondary school — offline to limit the ransomware’s impact. For the next two days, about 30,000 students were out of school as staff worked to restore servers, the internet, networks and websites.

Students returned to school without internet Jan. 12, and wifi was not restored to all buildings until Jan. 27, district officials said.

The loss of two schools days caused officials to move back the last day of school from May 31 to June 2.

“We’ve got internet back up and running and a lot of our systems are restored,” Smith said, “and so school as we know it prior to Jan. 9 is in full effect.”

Des Moines Public Schools interim Superintendent Matt Smith.

Des Moines Public Schools interim Superintendent Matt Smith.

The IT staff investigated, along with the district’s cyber insurance company and the local offices of the Federal Bureau of Investigation and Department of Homeland Security.

More:What to know about the Des Moines Public Schools cyberattack and how it affects classes

Officials did receive a ransom request.

“Given where we…

Source…

EU and UK Blame Russia for Hack That Disrupted Viasat’s Satellite Internet

/in


UPDATE: The White House is also blaming the Kremlin for the hack on Viasat. “The United States is joining with allies and partners to condemn Russia’s destructive cyber activities against Ukraine,” the US State Department said in a statement.

Original Story: The European Union and UK are officially blaming the Russian government for the Feb. 24 hack that targeted satellite internet provider Viasat. 

On Tuesday, both the EU and UK condemned the Kremlin for the cyberattack, which caused internet outages for thousands of Viasat customers across Europe. 

In response, the EU is mulling whether to punish Russia. “The European Union, working closely with its partners, is considering further steps to prevent, discourage, deter and respond to such malicious behavior in cyberspace,” the governing body said. 

The hack occurred an hour before Russia began its invasion of Ukraine, according to the UK. The goal was to shut down satellite internet access for Ukraine’s military. However, the hack also ensnared consumer and commercial customers, including wind farm operators in Europe.  

The EU didn’t elaborate on the evidence linking Russia to the hack on Viasat. But the UK cited an analysis from its National Cyber Security Centre, which found that it was “almost certain Russia was responsible.” The US also contributed intelligence suggesting the Kremlin was behind the attack, the UK added.

Security researchers have uncovered the malware likely responsible for causing the disruption at Viasat. Dubbed AcidRain, it’s designed to erase data from modems and routers, and has similarities with another malware strain that’s been connected to Russian state-sponsored hackers, according to the security firm SentinelOne. 

In the meantime, the EU is concerned the continent could suffer a similar incident in the future, citing how Russia continues to bombard Ukraine with destructive malware attacks. 

“​​Cyberattacks targeting Ukraine, including against critical infrastructure, could spill over into other countries and cause systemic effects putting the security of Europe’s citizens at risk,” the EU said. 

Viasat didn’t immediately respond to a request for comment. But the US…

Source…

The FBI Disrupted Russian Gru Botnet Malware Through a Court Order Before It Could Be Weaponized

/in


The Federal Bureau of Investigation (FBI) said it shut down a Russian GRU botnet malware through a court-authorized operation before it could be weaponized.

The botnet targeted Firebox firewall hardware used by many small and midsized businesses from WatchGuard Technologies.

The DOJ said the operation involved copying and removing “malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”

U.S. Attorney General Merrick Garland also disclosed that US authorities worked with WatchGuard to analyze the malware, remove it before it could be used, and create detection and remediation techniques.

Russian GRU botnet malware linked to Sandworm APT

FBI said the botnet used Cyclops Blink malware associated with Sandworm (also Voodoo Bear) team. The group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

“This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses,” FBI Director Christopher Wray, said in a press statement.

Sandworm hacking group is responsible for large-scale cyber attacks including the worldwide NotPetya campaign, Ukraine’s power grid shutdown in 2015, the French presidential campaign hack, the 2018 Winter Olympics Destroyer, and attacks on the Organization for the Prohibition of Chemical Weapons (OPCW).

The Cyclops Blink malware emerged in 2019 as a replacement for the VPNFilter malware that the Justice Department brought down through another court-authorized action in 2018.

On Feb 3, 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued an advisory on Cyclops Blink malware targeting WatchGuard and Asus networking devices.

Similarly, researchers from Trend Micro warned in March 2022 that the Cyclops Blink malware targeted devices in non-critical infrastructure organizations to…

Source…