FIN11 e-crime group shifted to clop ransomware and big game hunting

The financially motivated FIN11, which increasingly incorporated CL0P ransomware into their operations in 2020, appeared to rely on low-effort volume techniques like spamming malware for initial entry, but put a substantial amount of effort into each follow-up compromise.

“Several of their recent ransom notes explicitly name data stolen from workstations that belong to top executives (including founders/CEOs) of the respective enterprises,” Senior Cybersecurity Analyst Thomas Barabosch wrote in a blog post detailing new research from Deutsche Telekom. “This is likely based on the hope that using data stolen from top executives in the extortion process raises their chances that the victim pays.”

The research sheds new light on how cybercriminals from the threat group, described as a relentless, big game ransomware hunter that rarely goes more than a day or two between attacks, used the popular clop ransomware in their exploitations.

Throughout 2020, FIN11 actors followed an observable pattern through three separate campaigns: first spamming potential victims with phishing emails during the work week and then sifting through those who clicked on the malicious link to identify the most lucrative corporate targets for follow up action. FireEye picked up on one of those campaigns in October, and the company’s research suggests “that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture.”

In the FIN11 clop attacks, a target is hit with a unique variation of the ransomware. Researchers found more than a dozen different clop samples used by the group. In some cases there are multiple samples for a single victim. They also craft a personalized ransom note that includes the victim’s name, specifics around exfiltrated data, file share paths, user names and other details. They also use ransomware with unique, 1024-bit RSA public keys for each victim, with Barabosch noting in a blog that “as of January 2021, the largest publicly known RSA key that was factored…had 829 bits.”



Environmental agency SEPA hit by ransomware attack since Christmas Eve

Scottish Environment Protection Agency has confirmed that it has been subject to a continuing ransomware attack likely to be led by organised crime groups.

The cyber security attack which has been going on since Christmas Eve resulted in the theft of 1.2GB of data.

A dedicated data loss support website and support line has been set up fr regulated businesses and supply chain partners.

The environmental protection agency said it is working with Police Scotland, the National Cyber Security Centre and Scottish Government to respond to what it describes as “complex and sophisticated criminality”.

SEPA chief executive Terry A’Hearn, Chief Executive of the Scottish Environment Protection Agency, said: “Whilst having moved quickly to isolate our systems, cyber security specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre have now confirmed the significance of the ongoing incident.

“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”

The body has said that with infected systems isolated, recovery may take a significant period.

A number of SEPA systems will remain badly affected for some time, with new systems required, the body said.

Email systems remain impacted and offline. Information submitted to SEPA by email since Christmas Eve is not currently accessible and whilst online pollution and enquiry reporting has now been restored, information submitted in the early stages of the attack is currently not accessible.

Cyber security specialists have also identified the loss of circa 1.2 GB of data, equivalent to a fraction of the contents of an average laptop hard drive. The indications suggest that at least 4,000 files may have been accessed and stolen by criminals.

A’Hearn said: “Work continues by cyber security specialists to seek to identify what the stolen data was.

“Whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to a…


Comodo Internet Security Premium Tested 5.25.19

Cybereason and Intel Drive New Ransomware Protections

Dubai, UAE – January 12, 2021 – Cybereason has announced a partnership to adopt new Intel Hardware Shield protections for Ransomware available on the 11th Gen Intel Core vPro mobile platforms. Cybereason’s multi-layered protection, in collaboration with Intel Threat Detection Technology, will enable full-stack visibility to uncover ransomware attacks.

The solution represents the first instance where PC hardware plays a direct role in ransomware cyber defense to better protect enterprise endpoints from costly attacks, and underscores both companies’ commitment to empowering defenders by reversing the adversary advantage.

Ransomware continues to evade traditional anti-malware defenses, highlighting the need for a new approach to protecting the enterprise from costly attacks, system downtime, and reputational damage. Cybereason’s superior prevention, detection and response capabilities combined with Intel Hardware Shield protects enterprise customers from ransomware while improving overall security performance.

Lior Div, CEO & Co-Founder, Cybereason

“This collaboration with Intel to add CPU based threat detection bolsters our long history and industry-leading capabilities in detecting and eradicating ransomware. The combination of best-of-class hardware, software, and security know-how provides defenders with full-stack visibility critical to ending the era of double extortion that is currently costing organisations hundreds of millions each year”, said Lior Div, CEO and Co-Founder, Cybereason.

“Ransomware was a top security threat in 2020, software alone is not enough to protect against ongoing threats. Our new 11th Gen Core vPro mobile platform provides the industry’s first silicon enabled threat detection capability, delivering the much needed hardware based protection against these types of attacks. Together with Cybereason’s multi-layered protection, businesses will have full-stack visibility from CPU telemetry to help prevent ransomware from evading traditional signature-based defences”, said Stephanie Hallford, Client Computing Group Vice President and General Manager of Business Client Platforms at Intel.

Cybereason expects to…