Tag Archive for: Ransomware

Ransomware payment debate resurfaces amid Change Healthcare incident


A hotly debated flashpoint in the cybersecurity community is getting renewed attention as healthcare stakeholders work to rebound from a major ransomware attack that’s roiled the U.S. health insurance market over the past month.

The Feb. 21 Change Healthcare ransomware attack carried out by the ALPHV/Blackcat hacking gang has delayed prescription fillings and led to cash crunches at clinics and other facilities. The American Healthcare Association said that 94% of hospitals are signaling financial impact due to the incident, with some providers losing upwards of $1 billion per day in revenues.

Change Healthcare reportedly made a $22 million ransom payment to the hackers. Soon after, the cybercrime collective appeared to stage a fake takedown of their own site. But analysts expect the group to reemerge under a new name.

The U.S. over the past year has been working with international partners to take a firm stance against ransom payments, though surveyed experts have not agreed on a single policy.

Some cyber industry leaders say that paying ransoms should be banned because it emboldens cybercriminals and helps fund more illicit activities, and that, in some cases, paying a ransom does not necessarily guarantee that compromised data will be returned.

Others argue that total bans put too much pressure on victims, and that sometimes payments need to be made in order to recover vital systems, like those seen in hospitals and critical infrastructure.

In a briefing with reporters Monday, the Department of Health and Human Services said it has not yet taken an official position on whether ransom payments should be banned, and later told Nextgov/FCW it would defer to the National Security Council and FBI on the matter.

The White House is maintaining its previously established position that ransoms should not be paid because payment incentivizes cybercriminals to conduct more ransomware attacks.

The Biden administration “strongly discourages paying of ransoms, to stop the flow of funds to these criminals and disincentivize their attacks,” Anne Neuberger, deputy national security advisor for cyber and emerging technology at NSC said in a statement to Nextgov/FCW.    

The FBI declined to…

Source…

D#NUT ransomware gang claims Ready or Not dev Void Interactive as a victim


D#NUT ransomware gang claims Ready or Not dev Void Interactive as a victim

The developer of a SWAT-based first-person shooter has allegedly lost four terabytes of data including source code to a ransomware attack.

The D#NUT ransomware gang is claiming to have successfully exfiltrated four terabytes of data from Void Interactive, the developer of popular tactical shooter Ready or Not.

“voidinteractive.net you are welcome in our chat,” D#NUT declared on its dark net leak site on March 14.

“You has been pwned. All data related Ready Or Not will be posted here if u will keep silent. We got 4Tb of source code and game related data.”

The gang do not appear to be native English speakers.

“Send us a message via for on that blog as soon as possible. We will provide more profs (list of exfiltrated files).”

To add proof to its claim, the gang shared a link to the Imgur image-hosting site, and a screenshot of a list of various builds of the game in what appears to be a dev environment. More than 20 distinct builds are listed, for both PC and consoles, as well as various performance test builds.

The screenshot appears to be authentic.

D#NUT – whose leak site features a lurid illustration of the gang’s namesake – is a relatively small ransomware operation. Since it was first observed by threat tracker FalconFeeds.io in April 2023, the gang has claimed ten victims, with Void Interactive being the latest. Half of its victims have been North American organisations, with the rest spread across Europe and the UK.

However, the authenticity of the gang’s claims has been questioned by some observers. On February 5 the gang claimed to have successfully hacked the US Department of Defense, stealing documents related to a host of contractors, but one security analyst poured cold water on the claim.

“I would approach this claimed ‘breach’ by donut ransomware with caution and scepticism,” the X account CyberKnow posted on the same day.

“All the claimed US defence contractor victims have been posted to leak sites in the past year or two.”

There are some earlier incidents that D#NUT has taken responsibility for, while in…

Source…

Scranton School District suffered a ransomware attack


Scranton School District in Pennsylvania suffered a ransomware attack

Pierluigi Paganini
March 16, 2024

School districts continue to be under attack, schools in Scranton, Pennsylvania, are suffering a ransomware attack.

This week, schools in Scranton, Pennsylvania, experienced a ransomware attack, resulting in IT outages. The Scranton School District is working with third-party forensic specialists to investigate the security breach and restore impacted systems.

“The attack is causing a temporary disruption to some of our computer systems and services. We are working diligently with third party forensic specialists, that we engaged last evening, to investigate the source of this incident, confirm its impact on our systems, and to restore full functionality to the system as soon as possible,” reads a post published by the Scranton School District on Facebook they wrote.  

“Scranton School District’s computer system was recently hacked and infected with ransomware, according to acting Superintendent Patrick Laffey.” reported The Time Tribune.

The district ordered school staff not to use any electronic devices and uninstall any school-related apps from their mobile devices, said Rosemary Boland, president of the Scranton Federation of Teachers.

“As you know, some files may be inaccessible during this period as we, and the third-party forensic specialists, continue the investigation. Due to the increased security measures placed in our systems, some functions may be slower than usual.”

The Scranton School District website is not reachable and their Facebook account is not available at the time of this writing.

The Scranton School District is a large, urban school district located in Scranton, Pennsylvania in the Wyoming Valley region. The district encompasses approximately 26 square miles. According to the 2020 census, the Scranton School District serves a resident population of 76,997.

The school district includes 15 schools and serves more than 9000 students.

The Scranton School District reported “network-related issues” on Thursday, the problems caused a disruption for computer systems and services in the District. The issues caused the school…

Source…

Ransomware Groups’ Data Leak Blogs Lie: Stop Trusting Them


Fraud Management & Cybercrime
,
Ransomware


March 15, 2024    

Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them
Ransomware leak sites are not reliable sources of data. (Shutterstock)

Ransomware gangs are not reliable sources of information. Groups that run data leak blogs – and not all do – use them to pressure new and future victims into paying for the promise of either a decryptor or a pledge to delete stolen data.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

The number of victims that end up on a data leak site is inherently incomplete. Victims who pay a ransom quickly don’t get posted; criminals don’t publish these numbers. In addition, “some groups post more of their nonpaying victims than others,” and it’s often not clear why, said Brett Callow, a threat analyst at Emsisoft.

As a result, relying on data leak blogs to build a picture of attack volume can lead to wildly inaccurate results, not only about victim count but about the impact of any given attack. Unfortunately, some cybersecurity organizations, often aided and abetted by us in the media, regularly track fresh victims claimed by ransomware groups via their Tor-based data leak blogs, aka “name and shame” sites.

“Relying on shame blogs is the last thing we should do while assessing a group threat,” said Yelisey Bohuslavskiy, chief research officer at RedSense. “Blogs reflect how often extortion fails, and the victim decides to show the criminals a middle finger. Often, the fewer victims are on the blogs, the more successful the group…

Source…