Tag Archive for: Fuels

Cyber money heist: Why companies paying off hackers fuels ransomware crimes

/in


80 PER CENT OF VICTIMS PAY RANSOM

Analysts told CNA that it is common for companies to pay up in a bid to protect their data, with Forbes reporting about 80 per cent of 1,200 victims surveyed decided to do so.

More than 72 per cent of businesses were affected by ransomware attacks as of 2023, Mr Backer told CNA, noting that it was an increase from the previous five years and was by far the highest figure reported.

Predictions also indicate ransomware will cost victims roughly US$265 billion annually by 2031, he added.

“In the heat of the moment and with pressures mounting, the decision to pay a ransom is definitely not an easy one,” said Mr Flores.

“Many choose to opt for this route for a few reasons, with the most common one being faster recovery time. With business operations and continuity at stake, paying the ransom and obtaining the decryption tool in return is sometimes the quicker option to resume activity.”

According to media reports in 2019, ride-hailing platform Uber allegedly paid a US$100,000 ransom and had the hackers sign non-disclosure agreements in exchange for the payment.

This shows that organisations are worried, noted Mr Backer.

Regarding banks like ICBC paying ransoms, he said such information is not usually disclosed to the public due to the sensitive nature of the incidents.

“Many organisations, including banks, may not disclose this due to concerns about reputation, legal implications, and the encouragement of further attacks.”

However, Dr Kerrison noted that the intention behind companies paying ransoms “might not always be to keep it a secret”. 

“Rather, it’s the best option available to them in the circumstances,” he said.

Mr Backer added that claims by attackers should be “treated with caution” as they might not always accurately reflect the reality of the situation.

Analysts also told CNA the rise of the ransomware-as-a-service (RaaS) model is one of the driving factors in the increase in ransom payment.

“RaaS made it possible for low-skilled cybercriminals to join the illicit industry ultimately contributing to the surge in the number of victims,” said He Feixiang, an adversary intelligence research lead at Group-IB.

The RaaS business…

Source…

Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware

/in


Cybersecurity firm SentinelOne warns of an increase in the number of new ransomware families designed to target VMware ESXi that are based on the leaked Babuk source code.

Targeting both Windows and Linux systems, the Babuk ransomware family was initially detailed in January 2021 and was used in attacks against numerous organizations.

In September 2021, the malware’s source code was leaked online by one of its operators, which allowed security researchers to release a free decryption tool for it roughly two months later.

The leaked source code has been used to create new ransomware variants, including RTM Locker and Rook, and was also used in the Rorschach ransomware. Both RTM Locker and Rorschach (aka BabLock) target ESXi servers too.

Over the past year, SentinelOne says in a new technical report, the source code was used to create at least 10 ransomware families specifically targeting VMware ESXi servers.

Other smaller ESXi ransomware operations also adopted the code, including House’s Mario, Play, Cylance (unrelated to the security firm with the same name), Dataf Locker, Lock4, and XVGV.

Infamous ransomware gangs such as Alphv/BlackCat, Black Basta, Conti, Lockbit, and REvil have been observed targeting ESXi deployments as well.

Advertisement. Scroll to continue reading.

However, SentinelOne’s analysis of these malware families has revealed that only Conti and REvil ESXi lockers show overlaps with the leaked Babuk code.

The ESXiArgs locker that caused havoc earlier this year, however, showed very few similarities with Babuk, aside from the use of the same open-source Sosemanuk encryption implementation, the cybersecurity firm says.

“While ties to REvil remain tentative, the possibility exists that these groups – Babuk, Conti, and REvil – potentially outsourced an ESXi locker project to the same developer,” SentinelOne notes.

The identified links suggest that the two ransomware operations may have experienced small leaks or that they share code to collaborate, SentinelOne says.

Overall, the cybersecurity firm stresses on the fact that threat actors are increasingly using the Babuk code to build ESXi and Linux lockers and that they might also adopt the group’s…

Source…

The state of ransomware in 2023 and how digital currency fuels cyberattacks

/in


By Parag Khurana

Ransomware was a major cybersecurity threat in 2022, causing widespread damage to individuals and organizations globally. For example, India has seen one of the biggest ransomware attacks when the servers of All India Institute of Medical Sciences (AIIMS) were targeted last year. Barracuda’s recent research finds the volume of ransomware threats that SOC team detected spiked between January and June 2022 to more than 1.2 million per month. This trend is expected to persist in 2023, where ransomware gangs will become smaller and smarter.

With the emergence of ransomware-as-a-service, cybercriminals have made it easier to execute attacks. At the same time, ransomware attacks are also fueled by cryptocurrency as research finds. Considering the rapid growth in the perceived value of cryptocurrency, attackers would demand payment in cryptocurrency such as Bitcoin. And more importantly, it is unregulated and difficult to trace. This can make it challenging for law enforcement agencies to track down the attackers or the funds received as ransom.

Over time, cybercriminals have introduced new techniques to their ransomware attack, including countdown timers, incrementally increasing ransom amounts, and alternative payment platforms. We see double extortion trend emerged in 2021, where attackers steal sensitive data from victims and demand payment in exchange for a promise to not publish or sell the data to other criminals. In 2023, with the ransomware-as-a-service business model taking off and ransomware gangs like LockBit 3.0, Conti, and Lapus$ are making news headlines, organizations will experience an increased frequency of ransomware attacks with new tactics.

Attackers have also expanded their targets to include larger operational systems, such as hospital networks and transportation service providers. Education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%) are the dominant targets found by a cloud-first security solution provider. As more devices become connected to the internet, we can expect to see ransomware increasingly targeting beyond just computers and servers in the future.

While paying the ransom may unlock…

Source…

Lax Security Fuels Massive 8220 Gang Botnet Army Surge

/in


Leveraging little more than Linux bugs, common cloud application vulnerabilities, and misconfigurations, the 8220 Gang has been able to use its latest IRC botnet to infect more than 30,000 hosts with their PwnRig cryptominer.

Researchers with SentinelOne reported observing this noteworthy increase in the number of infected hosts over the course of just the past month. In mid-2021, the analysts said the malicious botnet was running on just 2,000 hosts worldwide.

The 8220 Gang gets its name from its original command-and-control communications port choice:8220.

“Over the past few years, 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner,” the cloud botnet security warning explained. “From our observations, the group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.”

Patching and better password hygiene would prevent most infections, researchers noted.

The report includes indicators of compromise (IoCs).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Source…