Tag Archive for: Groups

Conti Ransomware Group’s $20 Million Threat to Costa Rican Government

/in


In a threatening move, the notorious ransomware group Conti has demanded a $20 million ransom from the Costa Rican government, warning that it will release data it has hijacked if the demand is not met. The group has already begun leaking a portion of the data, comprising sensitive personal details of both citizens and government personnel.

Notorious for its relentless activity, the Conti ransomware group has targeted various entities globally, including corporate businesses, individual internet users, and government agencies. The group is known for releasing compromised data to coerce their victims into paying the demanded ransom.

The assault on the Costa Rican government is notably significant as it marks the first instance of a high-level governmental institution being targeted by a ransomware group. The attack has disrupted governmental services across Costa Rica and ignited concerns about the susceptibility of governments to such cyber threats.

Defying the group’s demands, the Costa Rican government has declared it will not pay the ransom. Efforts are underway to restore the affected systems and safeguard the government’s data against further intrusions.

This attack underscores the escalating risk of sophisticated ransomware attacks. As these threats broaden their victim base, it is imperative for both businesses and governments to amp up their defenses against such cyber onslaughts.

Follow our detailed guide on ransomware protection to safeguard yourself from such threats. Key preventive measures include maintaining updated software, using robust passwords coupled with two-factor authentication, exercising caution when dealing with emails and links, and regularly backing up data. If a ransomware infection is suspected, it is advised to refrain from paying the ransom, as there is no guarantee of data recovery post-payment. Instead, seek assistance from a cybersecurity expert.

In the context of ransomware, it is a malicious software designed to encrypt victims’ files, demanding a ransom for their decryption. Ransomware attacks pose a severe threat to businesses and individuals alike, often resulting in the loss of critical data.

Ransomware…

Source…

Why Haven’t Ransomware Groups Assisted Russia’s Invasion?

/in


Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Ransomware

Ransomware Task Force Members Square Pre-Invasion Assumptions With Reality

Mathew J. Schwartz (euroinfosec) •
May 5, 2023    

Why Haven't Ransomware Groups Assisted Russia's Invasion?
Artillery operated by the Ukrainian National Guard (Image: National Guard of Ukraine)

When Russia launched its all-out war against Ukraine in February 2022, many cybersecurity watchers feared ransomware groups would serve as a proxy force. But Moscow doesn’t appear to have deputized cybercrime-driven crypto-locking malware brigades.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources


So said participants in a panel held Friday by the Institute for Security and Technology on the ransomware implications of the Russian invasion of its European neighbor.


Rather than enlisting criminal ransomware groups into Russia’s cyber military operations against Ukraine, the invasion fractured major ransomware groups.


In particular, “political fissures” began to be seen in ransomware groups such as Conti, “as the world understood what Ukraine was about to suffer and started suffering and what Russia was doing in that,” said panelist Laura Galante, who has served as the U.S. intelligence community’s cyber executive and director of the Cyber Threat Intelligence Integration Center since May 2022. Ransomware hackers picked sides, she said.


The panelists were gathering to celebrate the two-year anniversary of the ITF’s Ransomware Task Force recommendations for combating ransomware syndicates, including coordinating international cooperation, having the White House lead by example by launching a “whole of…

Source…

Meta Expunges Multiple APT, Cybercrime Groups From Facebook, Instagram

/in


Facebook parent Meta said it thwarted the activity of three advanced persistent threat groups (APTs) in South Asia engaged in cyber espionage as well as six adversarial groups from various global regions engaged in what it deems “inauthentic behavior” on Facebook and other social networks.

The company’s takedown of these and other activities on its platforms is indicative of a sea of consistent and globally dispersed exploitative behavior from threat actors to leverage various online platforms to create elaborate social-engineering campaigns to lure and exploit Internet users, the company said.

In most of the cases, threat actors are using Facebook and other social networking and media platforms —including Twitter, Telegram, YouTube, Medium, TikTok, and Blogspot — to create various fake online accounts and personas, according to Meta. The attackers used fake identities, including job recruiters, journalists, or even military personnel, to earn credibility with users and legitimate entities so they could engage in malicious threat activity, the company said.

In its Quarterly Adversarial Threat Report released today, Meta detailed these incidents as well as actions it’s now taking to minimize security threats that leverage its platforms.

The report draws from Meta’s security monitoring of the use of its platforms, as well as monitoring of the Internet overall in order to flag malicious activity, which is increasingly becoming more dispersed across various platforms and geographies and thus harder to track, Nathaniel Gleicher, head of security policy at Meta, told journalists in a briefing on the report May 2.

“These threats are extremely persistent, and that they’re not going anywhere because the threat actors behind them are financially motivated,” he said. “That’s why we see … adversarial adaptation … including malware operators, spreading themselves across many places at once. So each phase of the campaign relies on a different service to survive.”

As part of its work to combat this activity, Meta also plans to empower businesses as well with a new tool it will release later this year to help them identify malicious activity as well as malware being used by the threat groups…

Source…

‘BellaCiao’ Showcases How Iran’s Threat Groups Are Modernizing Their Malware

/in


A new malware strain that has been landing on systems belonging to organizations in the US, Europe, Turkey, and India has provided another indication of how Iran’s state-backed cyber-threat groups have been systematically modernizing their arsenals in recent years.

The malware, dubbed “BellaCiao,” is a dropper that Iran’s Charming Kitten advanced persistent threat (APT) group has been using in a highly targeted manner in recent months to gain and maintain unobtrusive initial access on target systems.

A Highly Customized Threat

Researchers at Bitdefender discovered the new malware when investigating activity related to three other recent malware tools associated with Charming Kitten. Their analysis of the malicious code — summarized in a blog post this week — uncovered a couple of features that set it apart from many other malware samples.

One was the specifically targeted nature of the dropper that ended up on each victim’s system. The other was BellaCiao’s unique and hard-to-detect style of communicating with its command-and-control (C2) server.

“Each sample we’ve collected is custom-built for each victim,” says Martin Zugec, technical solutions director at Bitdefender. Each sample includes hard-coded information that is specific to the victim organization, such as the company’s name, public IP addresses, and specially crafted subdomains.

Charming Kitten’s apparent intention in making the malware victim-specific is to blend in on host systems and networks, Zugec says. For instance, the subdomains and IP addresses the malware uses in interacting with the C2 are similar to the real domain and public IP addresses of the victim. Bitdefender’s analysis of the malware’s build information showed its authors had organized victims in different folders with names that indicated the countries in which they were located. The security vendor found that Charming Kitten actors used victim-optimized versions of BellaCiao, even when the target victim was from a noncritical sector.

Unique Approach to Receiving C2 Commands

Zugec says the manner in which BellaCiao interacts with the C2 server and receives command from it is also unique. “The communication between implant and C2 infrastructure is based…

Source…