Tag Archive for: Published

NHS Scotland Clinical Data Published Ransomware


Health authorities in Scotland have hit out at a ransomware gang after it started publishing data including clinical and personal identifiable information of both patients and staff.

The confirmation came after NHS Dumfries and Galloway had warned on 15 March that it had been the target of a focused and ongoing cyber attack on its IT systems.

It has been widely reported that the hacking gang, dubbed INC Ransom, had obtained 3TB (terabytes) worth of data, and are threatening to publish the entire tranche of data unless a ransom is paid.

Data published

Now the NHS has condemned the decision of the hackers to publish some of the data.

“NHS Dumfries and Galloway is aware that clinical data relating to a small number of patients has been published by a recognised ransomware group,” the board said in a statement. “This follows a recent focused cyber attack on the Board’s IT systems, when hackers were able to access a significant amount of data including patient and staff-identifiable information.”

NHS Dumfries and Galloway chief executive Jeff Ace condemned the publication of the data.

“We absolutely deplore the release of confidential patient data as part of this criminal act,” said Ace. “This information has been released by hackers to evidence that this is in their possession.”

“We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government, and other agencies in response to this developing situation,” Ace said. “Patient-facing services continue to function effectively as normal.”

“As part of this response, we will be making contact with any patients whose data has been leaked at this point, and continue working to limit any sharing of this information,” Ace added.

“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”

The INC ransomware operation is now threatening to leak more data via their dark web leak site.

Frustrated hackers

The refusal of NHS Scotland to pay the hackers ransomware demand was noted by William Wright, CEO of Scotland-based

Source…

New BlackCat ransomware analysis published as leak site goes dark


Amid news that the ALPHV/BlackCat ransomware gang is shutting down operations in a likely exit scam, researchers published a new technical breakdown of the ransomware’s binary.

The Trustwave SpiderLabs report published Wednesday dives into remote access and stealth tactics used in deployment of BlackCat ransomware since the group’s resurgence, after its initial disruption by the FBI in December.

ALPHV/BlackCat’s leak site went down for a second time on Friday and is now replaced with an FBI takedown notice that security experts say is likely fake.

Inspecting the site shows the takedown banner is extracted from an archive, and Europol and the National Crime Agency (NCA) deny being involved in the takedown despite their logos appearing on the page, BleepingComputer reports.  

The cybergang’s operators claim they plan to cease operations and sell the BlackCat ransomware source code for $5 million due to law enforcement interference — but this move comes after allegations it stole a $22 million ransom from one of its own affiliates after claiming responsibility for the attack against Change Healthcare. This has led the gang’s actions to be labeled by many as an “exit scam.”

“Based on our experience, we believe that BlackCat’s claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after the hiatus,” Reegun Jayapaul, principal threat hunter at Trustwave, told SC Media in an email. “This tactic serves as a means for them to execute one final significant scam before resurfacing with less scrutiny.”

Whether ALPHV/BlackCat returns under a different name — or the ransomware-as-a-service (RaaS) strain is sold and brought under new management — organizations should stay alert for BlackCat’s ransomware tactics despite the bizarre shakeup.

“Regardless if BlackCat sells their source code or not, threat actors are always honing and evolving their craft,” Shawn Kanady, global director of the Trustwave SpiderLabs Threat Hunt Team, told SC Media.

New stealth features discovered in BlackCat ransomware ‘Version 3’

The BlackCat variant studied by Trustwave researchers is more elusive than previous versions…

Source…

New 'Connected Places' infographic published – NCSC.GOV.UK – National Cyber Security Centre



New ‘Connected Places’ infographic published – NCSC.GOV.UK  National Cyber Security Centre

Source…

Black Basta Ransomware Decryptor Published


Security researchers have published a new suite of tools designed to help victims of the prolific Black Basta ransomware recover their files.

Berlin-based Security Research (SR) Labs revealed in a recent GitHub post that the tools exploit a weakness in the encryption algorithm.

Black Basta uses a ChaCha keystream to XOR encrypt 64-byte-long chunks of victim files.

“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file,” SRLabs explained.

“Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

Read more on Black Basta: Black Basta Deploys PlugX Malware in USB Devices With New Technique

The tools work specifically when Black Basta encrypts files containing only zeros, which is why it mainly works only for larger files.

“For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images,” SRLabs said.

“We have built some tooling which can help analyzing encrypted files and check if decryption is possible. For example, the decryptauto tool may recover files containing encrypted zero bytes. Depending on how many times and to what extent the malware encrypted the file, manual review is required to fully recover a file.”

However, the decryption tools will only work for the Black Basta ransomware variant used in around April 2023, the researchers continued.

Black Basta is one of the most successful ransomware-as-a-service operations around, having generated over $100m in revenue since April 2022. Its developers are suspected of links to the now-defunct Conti group and Qakbot malware.

Source…