Tag Archive for: highprofile

US indicts heart doctor for allegedly spearheading high-profile ransomware operations

/in


A 55-year-old Venezuelan cardiologist has been charged in the US over allegedly being the mastermind behind the Jigsaw and Thanos ransomware operations.

Charges against Moises Luis Zagala Gonzalez were unsealed in federal court in Brooklyn, New York, on Monday and concern his alleged use and sale of ransomware, in addition to his support of and profit-sharing with other cyber criminals.

Zagala resides in Ciudad Bolivar, Venezuela and also has citizenship in France. He is alleged to have created multiple high-profile ransomware tools in his spare time while primarily being a practising doctor.

A Federal Bureau of Investigation (FBI) source posed as a prospective cyber criminal and was able to discover how Zagala’s operation ran, how he generated multiple revenue streams, and how he ‘coached’ the cyber criminals into being more successful using the tools he created.

Zagala is alleged to have created the Jigsaw ransomware strain as well as the Thanos ‘ransomware builder’ – an application that allowed users to build their own ransomware program to be used alone or sold to the wider community.

Screenshot of the Thanos application

The Thanos application presented users with a GUI and an assortment of checkboxes to enable and disable certain features so effective ransomware programs could be built with little technical knowledge.

Such features included a data stealer that allowed users to select which types of files were stolen from a victim, an anti-VM feature that prevented researchers from loading it into a virtual machine for analysis and a self-delete function that destroyed the program after its use had become exhausted.

Through the FBI’s source, the Bureau was able to understand how Thanos was sold through two licensing models.

Prospective users could either pay a single up-front fee for a limited license and have access to the program for a set time, or enrol into an affiliate program which saw the user receive a lifetime license in return for giving Zagala a portion of the profit generated from the ransomware it created.

The Depart of Justice (DoJ) said Zagala owned a server in Charlotte, North Carolina that checked if a user’s license was valid or not.

After the FBI source request to join Zagala’s affiliate…

Source…

Russia Arrests REvil Ransomware Gang Responsible for High-Profile Cyber Attacks

/in


REvil Ransomware

In an unprecedented move, Russia’s Federal Security Service (FSB), the country’s principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations.

The surprise operation, which it said was carried out at the request of the U.S. authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organized cybercrime syndicate.

“In order to implement the criminal plan, these persons developed malicious software, organized the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet,” the FSB said in a statement.

Automatic GitHub Backups

In addition, the FSB seized over 426 million rubles, including in cryptocurrency, $600,000, €500,000, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars that were purchased with money obtained by illicit means.

One of the most active ransomware crews last year, REvil took responsibility for high-profile attacks against JBS and Kaseya, among a string of several others. The U.S. government told Reuters that one of the arrested individuals was also behind the ransomware attack on Colonial Pipeline in May 2021, once again confirming REvil’s connections to another group called DarkSide.

REvil Ransomware

The group formally closed shop in October 2021 after the U.S. intervened to take its network of dark web servers offline. The next month, Romanian law enforcement authorities announced the arrest of two individuals for their roles as affiliates of the REvil ransomware family, even as the U.S. charged a 22-year-old Ukrainian citizen linked to the ransomware gang for orchestrating the Kaseya ransomware attack.

All those detained have been charged with “illegal circulation of means of payment,” a criminal offense punishable by up to six years in prison. The suspects weren’t named, but Reuters noted that a Moscow court identified two of the men as Roman Muromsky and Andrei Bessonov.

Prevent Data Breaches

The crackdown also comes as threat actors likely affiliated with…

Source…

Ransomware persists even as high-profile attacks have slowed

/in


In the months since President Joe Biden warned Russia’s Vladimir Putin that he needed to crack down on ransomware gangs in his country, there hasn’t been a massive attack like the one last May that resulted in gasoline shortages. But that’s small comfort to Ken Trzaska.

Trzaska is president of Lewis & Clark Community College, a small Illinois school that canceled classes for days after a ransomware attack last month that knocked critical computer systems offline.

“That first day,” Trzaska said, “I think all of us were probably up 20-plus hours, just moving through the process, trying to get our arms around what happened.”


Even if the United States isn’t currently enduring large-scale, front-page ransomware attacks on par with ones earlier this year that targeted the global meat supply or kept millions of Americans from filling their gas tanks, the problem hasn’t disappeared. In fact, the attack on Trzaska’s college was part of a barrage of lower-profile episodes that have upended the businesses, governments, schools and hospitals that were hit.

The college’s ordeal reflects the challenges the Biden administration faces in stamping out the threat — and its uneven progress in doing so since ransomware became an urgent national security problem last spring.

U.S. officials have recaptured some ransom payments, cracked down on abuses of cryptocurrency, and made some arrests. Spy agencies have launched attacks against ransomware groups and the U.S. has pushed federal, state and local governments, as well as private industries, to boost protections.

Yet six months after Biden’s admonitions to Putin, it’s hard to tell whether hackers have eased up because of U.S. pressure. Smaller-scale attacks continue, with ransomware criminals continuing to operate from Russia with seeming impunity. Administration officials have given conflicting assessments about whether Russia’s behavior has changed since last summer. Further complicating matters, ransomware is no longer at the top of the U.S.-Russia agenda, with Washington focused on dissuading…

Source…

Google Warns High-Profile YouTube Accounts About Cookie-Stealing Malware

/in


Google’s Threat Analysis Group (TAG) discovered on Wednesday, Oct.20 that several hackers were using cookie-stealing malware to exploit high-profile users on YouTube.

Mostly, the latest phishing attack involves a series of crypto scams that emerge from ripped-off YT channels.

YouTube Channels Hacked By Pass-the-Cookie Attack

Google Warns High-Profile YouTube Accounts About Cookie-Stealing Malware

(Photo : Ilya Pavlov from Unsplash)
Google discovered several hacking cases involving the YouTube accounts of high-profile users. According to the security team, the Russians attackers are responsible for the recent malware attack.

According to a report by Threatpost, Google’s security researchers discovered that the cybercriminals have been carrying out their operations since 2019. On Russian-speaking forums, the search engine giant also spotted that there were several threat actors recruited to launch these attacks.

The hackers utilized fake ads or bogus landing pages and accounts, in addition to phishing emails that would steal users’ information. The main target of the criminals is the YouTube content creators who have a huge number of subscribers.

Some of the tools that Google noticed during the incident are Vidar, Nexus stealer, Vikro Stealer, Kantal, Grand Stealer, RedLine, and a lot more. Sorano and AdamantiumThief, an open-source code was also observed during the attack.

After injecting the malware into the systems, the hackers could now obtain the user’s data. They could also manage the cookies of the victims through the cookie-stealing malware.

According to TAG Security Engineer Ashley Shen, since the technique has been around for many years because of multi-factor authentication (MFA), cyber attackers have come up with a unique way of hacking through social engineering.

Shen added that the cookie-stealing malware could steal both cookies and passwords of a user, particularly in YouTube. The team also saw some anti-sandboxing methods in the recent attack such as IP loading download, enlarged files, and archive encryption.

Google Detects At Least 1,011 Domains and 15,000 Actor Accounts

The Google security team did not only find out the obvious attackers in the Russian forums but also the number of threat…

Source…