Tag Archive for: SITE

New BlackCat ransomware analysis published as leak site goes dark

/in


Amid news that the ALPHV/BlackCat ransomware gang is shutting down operations in a likely exit scam, researchers published a new technical breakdown of the ransomware’s binary.

The Trustwave SpiderLabs report published Wednesday dives into remote access and stealth tactics used in deployment of BlackCat ransomware since the group’s resurgence, after its initial disruption by the FBI in December.

ALPHV/BlackCat’s leak site went down for a second time on Friday and is now replaced with an FBI takedown notice that security experts say is likely fake.

Inspecting the site shows the takedown banner is extracted from an archive, and Europol and the National Crime Agency (NCA) deny being involved in the takedown despite their logos appearing on the page, BleepingComputer reports.  

The cybergang’s operators claim they plan to cease operations and sell the BlackCat ransomware source code for $5 million due to law enforcement interference — but this move comes after allegations it stole a $22 million ransom from one of its own affiliates after claiming responsibility for the attack against Change Healthcare. This has led the gang’s actions to be labeled by many as an “exit scam.”

“Based on our experience, we believe that BlackCat’s claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after the hiatus,” Reegun Jayapaul, principal threat hunter at Trustwave, told SC Media in an email. “This tactic serves as a means for them to execute one final significant scam before resurfacing with less scrutiny.”

Whether ALPHV/BlackCat returns under a different name — or the ransomware-as-a-service (RaaS) strain is sold and brought under new management — organizations should stay alert for BlackCat’s ransomware tactics despite the bizarre shakeup.

“Regardless if BlackCat sells their source code or not, threat actors are always honing and evolving their craft,” Shawn Kanady, global director of the Trustwave SpiderLabs Threat Hunt Team, told SC Media.

New stealth features discovered in BlackCat ransomware ‘Version 3’

The BlackCat variant studied by Trustwave researchers is more elusive than previous versions…

Source…

Site run by cyber criminals behind Fulton County ransomware attack taken over

/in


Fulton County hacker site taken offline

A hacking group that claims to be behind Fulton County’s ransomware attack has been taken offline buy international law enforcement.

FULTON COUNTY, Ga.International officials believe they have gotten to the bottom of a cyberattack in Fulton County.

On Monday, a website belonging to a group of accused cyber criminals who claimed responsibility for the ransomware incident in Fulton County was taken down by the National Crime Agency of the UK.

The international law enforcement group working in conjunction with the FBI says they will report more information about the takeover on Feb. 20.

Lockbit website reportedly taken over by The National Crime Agency of the UK. This screenshot was taken on Feb. 19, 2024.

What Fulton County systems are impacted by the cyberattack?

Officials say the cyberattack in late January affected the county’s phone system, court system, tax system and jailhouse.

“A number of our primary technology platforms are affected by this incident,” Fulton County Board of Commissioners Chairman Robb Pitts said. Two weeks later, officials revealed that the attack may have been financially motivated.

Was my personal information compromised during Fulton County ransomware attack?

Fulton County did not say what information hackers might have, but according to a screenshot from the alleged hacking group’s website posted on social media, it might include confidential documents and personal data of citizens.

Last week, the Lockbit group threatened to release the data they stole.

The hackers gave Fulton County until Feb. 16 to pay a ransom. FOX 5 Atlanta reached out to determine whether it was paid, but has not received an answer.

“If we determine sensitive personal information was involved in this incident, we will notify those parties in accordance with legal requirements,” Pitts said.

The county says the investigation is ongoing and warns the situation is not unique to Fulton County.

“Incidents like these are on the rise across the United States and the world, particularly in local governments and we at Fulton County are no exception,” Pitts said.

In the meantime, Fulton County officials say they are working to strengthen…

Source…

Ransomware Leak Site Victims Reached Record-High in November

/in


After a quieter month in October, ransomware groups seemed to return with a vengeance in November, with the highest number of listed victims ever recorded, according to Corvus Insurance.

In a report published on December 18, 2023, Corvus Threat Intel observed 484 new ransomware victims posted to leak sites in November.

This represents a 39.08% increase from October and a 110.43% increase compared with November 2022.

Source: Corvus Insurance
Source: Corvus Insurance

This is the eleventh month in a row with a year-on-year increase in ransomware victims and the ninth in a row with victim counts above 300. This is also the third time such a record has been broken this year.

However, while the previous two records in 2023 were primarily attributed to Clop’s MOVEit supply chain attack, this was not the case in November.

A CitrixBleed-Induced LockBit’s Activity Peak

According to Corvus’ data, the November peak was partly due to a resurgence in LockBit’s activity.

Source: Corvus Insurance
Source: Corvus Insurance

November was LockBit’s third-highest month of 2023 in terms of listed victims (121) after a quieter Fall.

Source: Corvus Insurance
Source: Corvus Insurance

If the first two peaks were due to affiliates returning to work after a winter or a summer break, Corvus threat intelligence analysts estimated that the November increase could be attributed to the CitrixBleed vulnerability, “which has reportedly become a new staple for the group.”

Read more: LockBit Affiliates are Exploiting Citrix Bleed, Government Agencies Warn

Could QakBot Resurgence Mean a New Record this Winter?

Based on historical seasonal data, the Corvus Threat Intel team predicted that the number of ransomware leak site victims listed in December will be higher than in December 2022 but likely won’t match November’s numbers.

“We expect a decrease in January as the humans behind ransomware attacks take some time off,” the researchers added.

Finally, Corvus observed that although the take-down of malware loader QakBot (aka QBot) by law enforcement in August impacted ransomware groups. This new resurgence in victim listings showed that “the ransomware ecosystem has successfully pivoted away from QBot.”

The fact that…

Source…

BlackCat ransomware site down amidst rumours of law enforcement action

/in


The ALPHV data leak site, along with the Tor negotiation URLs shared with victims in ransom notes, went offline on 7th December and have yet to be restored.

Security researchers, including Yelisey Bohuslavkiy, chief research officer at RedSense, have hinted at a possible law enforcement operation targeting the group.

Bohuslavkiy said admins of other top-tier ransomware groups directly linked to ALPHV, including Royal/BlackSuit, BlackBasta and LockBit, confirmed law enforcement involvement in the takedown.

Despite these rumours, BlackCat’s leadership maintains that “everything will work soon.”

When contacted by BleepingComputer, the ALPHV admin mentioned server repairs, but provided no further details.

ReliaQuest, a security operations centre company, notes that BlackCat’s site has a history of intermittent connectivity issues, although the current outage is among the longest faced by the group.

Notably, no law enforcement agency has officially released information about an operation specifically targeting BlackCat.

ALPHV had previously dismissed the possibility of a takedown effort like the one that targeted the Hive ransomware group in January 2023.

Analysts at ReliaQuest speculate that this disruption could prompt hackers associated with BlackCat to seek new affiliations, or even establish their own ransomware gangs.

“The removal of this group from the ransomware landscape will undoubtedly leave a void, with its operators and affiliates likely moving to other ransomware groups or forming new groups,” said Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest.

The company noted that similar law enforcement actions in the past have resulted in the dispersal of affiliates into new programmes, bringing valuable experience from previous operations.

Who is BlackCat?

BlackCat first appeared in in late 2021 as a ransomware-as-a-service enterprise, offering lucrative payouts of up to 90% of…

Source…