Tag Archive for: striking

Royal ransomware gang infiltrated networks weeks before striking

/in


Hackers began surveillance of the city of Dallas’ networks weeks before carrying out a devastating ransomware attack in May, according to a recent report on the incident

The 31-page After-Action Report, published last week, outlines what happened before, during and after the ransomware attack crippled critical systems used by the city’s police, firefighters, hospitals and government officials. As the ninth largest city in the country, Dallas was a “a logical choice for bad actors wishing to initiate and prosecute” an attack, the experts said.

The city operates more than 860 applications and has about 200 IT workers within the Dallas Department of Information & Technology Services (ITS).

The hackers — part of the Royal ransomware gang — first infiltrated government systems on April 7 and immediately began surveillance operations. They used a government service account to pivot into the city’s infrastructure and deploy remote management tools.

From April 7 to May 2, the hackers exfiltrated nearly 1.17 terabytes of data and prepared themselves to deploy the ransomware, which they did the following morning.

“Using its previously deployed beacons, Royal began moving through the City’s network and encrypting an apparently prioritized list of servers using legitimate Microsoft system administrative tools,” they explained.

“City attack mitigation efforts began immediately upon the detection of Royal’s ransomware attack. To thwart Royal and slow its progress, City Server Support and Security teams began taking high- priority services and service supporting servers offline. As this was done, City service restoration identification activities began.”

The city noted officials focused on restoring critical systems like the Public Safety Computer-Aided Dispatch, which was brought down during the attack and caused police and ambulances to go to the wrong location multiple times for days.

Officials also focused on 311 services and city-facing communication websites as the first systems that needed to be restored.

In addition to internal and external cybersecurity assistance, the city called on federal law enforcement agencies like the FBI and Cybersecurity and…

Source…

It’s ransomware, or maybe a disk wiper, and it’s striking targets in Israel

/in


The flag of Iran.

Researchers say they’ve uncovered never-before-seen disk-wiping malware that’s disguising itself as ransomware as it unleashes destructive attacks on Israeli targets.

Apostle, as researchers at security firm SentinelOne are calling the malware, was initially deployed in an attempt to wipe data but failed to do so, likely because of a logic flaw in its code. The internal name its developers gave it was “wiper-action.” In a later version, the bug was fixed and the malware gained full-fledged ransomware behaviors, including the leaving of notes demanding victims pay a ransom in exchange for a decryption key.

A clear line

In a post published Tuesday, SentinelOne researchers said they assessed with high confidence that, based on the code and the servers Apostle reported to, the malware was being used by a never-before-seen group with ties to the Iranian government. While a ransomware note they recovered suggested that Apostle had been used against a critical facility in the United Arab Emirates, the primary target was Israel.

“The usage of ransomware as a disruptive tool is usually hard to prove, as it is difficult to determine a threat actor’s intentions,” Tuesday’s report stated. “Analysis of the Apostle malware provides a rare insight into those kinds of attacks, drawing a clear line between what began as a wiper malware to a fully operational ransomware.”

The researchers have dubbed the newly discovered hacking group Agrius. SentinelOne saw the group first using Apostle as a disk wiper, although a flaw in the malware prevented it from doing so, most likely because of a logic error in its code. Agrius then fell back on Deadwood, a wiper that had already been used against a target in Saudi Arabia in 2019.

When Agrius released a new version of Apostle, it was full-fledged ransomware.

“We believe the implementation of the encryption functionality is there to mask its actual intention—destroying victim data,” Tuesday’s post stated. “This thesis is supported by an early version of Apostle that the attackers internally named…

Source…

Google’s Striking New Android Security Move: 55 Billion App Installs Now Impacted – Forbes

/in

Google’s Striking New Android Security Move: 55 Billion App Installs Now Impacted  Forbes
“android security news” – read more

Android ransomware variant hoodwinks AV software by waiting 4 hours before striking – SC Magazine

/in

SC Magazine

Android ransomware variant hoodwinks AV software by waiting 4 hours before striking
SC Magazine
A newly discovered variant of the Android ransomware PornDroid eludes all antivirus programs by waiting four hours before executing its malicious activity as well as by employing heavy amounts of obfuscation. Despite these clever innovations, PornDroid …

android ransomware – read more