Tag Archive for: operation

Major international police operation brings down Ragnar Locker ransomware group

/in


A large group that carried out ransomware attacks has been dismantled in an international police operation. The suspected leader has been arrested, and their platform has been taken offline. Five of the group’s servers were seized in the Netherlands and Dutch investigators assisted in the investigation.

According to coordinator Peter Bos of the East Netherlands Cybercrime Team, he and his colleagues have made an important contribution to this large-scale international operation that was started in 2021.

“As a team, we have succeeded in mapping the IT infrastructure of the Ragnar Locker group, as well as their working methods. We also seized several servers and took down hosting services during the week of action, in which eleven countries worldwide participated. Furthermore, we have secured victim data from more than 60 multinationals and during the investigation, we notified some victims of impending ransomware attacks by this group,” Bos said.

European services Europol (police) and Eurojust (justice) announced the results of the action against the Ragnar Locker group on Friday. The main suspect was arrested in Paris last Monday. His house in the Czech Republic was searched. In addition, five other suspects were subsequently interrogated in Spain and Latvia. The group’s website on the dark web was shut down in Sweden. In addition to the Netherlands, servers were also seized in Germany and Sweden.

The ransomware, also called Ragnar Locker, has been active since December 2019. Its creators infected and locked computer systems. They also stole internal data. They then demanded a ransom from victims, both for unlocking systems and for returning sensitive data. They then offered a decryption key in exchange for a ransom amount ranging from $5 to $70 million, threatening to leak the stolen data on the dark web if their demands were not met, according to the police. They also threatened to release all files to the public if the victims filed charges.

Investigators believe that the group attacked about 168 organizations. Last year, they attacked the Portuguese national airline TAP. A month ago, they perpetrated a digital attack on a hospital near Tel Aviv in Israel.

In 2021,…

Source…

Joint FBI and CISA advisory warns of Snatch ransomware operation

/in


The U.S. Federal Bureau of Investigation and the Cybersecurity and Infrastructure Agency today released a joint Cybersecurity Advisory warning of the Snatch ransomware operation.

Snatch first appeared in 2018 and operates on a ransomware as a service model. Ransomware as a service is a cybercriminal business model where ransomware operators develop and provide ransomware to affiliates who pay to use it for launching ransomware attacks. The first known victim in the U.S. of a Snatch ransomware attack was ASP.NET hosting provider SmarterASP.NET in 2019.

The joint advisory has been released to disseminate known ransomware indicators of compromise and tactics, techniques and procedures associated with Snatch ransomware identified through FBI investigations as recently as June 1, 2023.

Snatch threat actors are said to be consistently evolving their tactics to take advantage of current trends in the cybercriminal space and have leveraged the successes of other ransomware operations. Affiliates using Snatch have targeted critical infrastructure sectors, including companies and organizations in the defense, food and agriculture and information technology sectors.

Snatch dark web site

Like many ransomware actors over the last few years, Snatch operates on a so-called double-extortion basis, both encrypting data and stealing it – demanding that a ransom be paid not only for a decryption key but also a promise that the stolen data will not be published on Snatch’s dark web site.

Recent victims of Snatch ransomware attacks, as listed on their dark web site (pictured), include the Florida Department of Veteran’s Affairs, Zilli, CEFCO Inc., the South African Department of Defense and the Briars Group Ltd.

Discussing the advisory, Michael Mumcuoglu, chief executive officer and co-founder of posture management company CardinalOps Ltd. told SiliconANGLE that there has been increased activity by the Snatch ransomware group over the last 12-18 months as they have claimed responsibility for several recent high-profile attacks.

“A unique tactic used by the Snatch ransomware group leverages ‘stealthy malware’ that takes advantage of the fact that many Windows computers do not…

Source…

FBI’s Qakbot operation opens door for more botnet takedowns

/in


The FBI’s recent takedown of the QakBot botnet sent shockwaves throughout the cybersecurity community when it was first announced last week. QakBot had become the malware of choice for dozens of hacking groups and ransomware outfits that used it to set the table for devastating attacks.

Since emerging in 2007 as a tool used to attack banks, the malware evolved into one of the most commonly-seen strains in the world, luring an ever-increasing number of machines into its powerful web of compromised devices. Justice Department officials said their access to the botnet’s control panel revealed it was harnessing the power of more than 700,000 machines, including over 200,000 in the U.S. alone.

But almost as interesting as the takedown was the way law enforcement agencies pulled off the disruption.

Senior FBI and Justice Department officials — who called it “the most significant technological and financial operation ever led by the Department of Justice against a botnet” — explained in a briefing that they managed to infiltrate the botnet’s infrastructure and take a range of actions to shut it down.

Using a court order, the law enforcement agencies deployed the botnet’s auto-updating feature against itself to send out a custom application that uninstalled QakBot and disabled the feature on devices in the U.S.

“It’s as if the boss gave the order, ‘leave this workplace and don’t come back,’” said John Hammond, principal security researcher at the cybersecurity intelligence firm Huntress.

Chester Wisniewski, field CTO of applied research at Sophos, said the tactic reminded him of NotPetya, where a software downloader feature was abused by Russian hackers to download malware instead of updates.

“Almost all modern botnets have auto update functionality and if you can gain control of the communications channels you can essentially make them self-destruct,” Wisniewski said. “If we start having success with that though, criminals could start using digital signatures to make this more difficult.”

Other botnets

The FBI and other law enforcement agencies have conducted similar operations in the past to take down botnet networks.

The FBI’s targeting of the…

Source…

Healthcare sector targeted by Rhysida ransomware operation

/in



BleepingComputer reports that healthcare organizations in North and South America, Western Europe, and Australia, were noted by the Department of Health and Human Services to have been targeted by the …

Source…