Tag: ransomware

Germany and Ukraine hit two high-value ransomware targets

Agency News, Cyber Security CII sector, Industry News

The German Regional Police (Landeskriminalamt Nordrhein-Westfalen) and the Ukrainian National Police (Націона́льна полі́ція Украї́ни), with support from Europol, the Dutch Police (Politie) and the United States Federal Bureau of Investigations, targeted suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware.

This ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organisations and critical infrastructure and industries. Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related process of the attacked systems. The DoppelPaymer attacks were enabled by the prolific EMOTET malware.

The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript. The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020. German authorities are aware of 37 victims of this ransomware group, all of them companies. One of the most serious attacks was perpetrated against the University Hospital in Düsseldorf. In the US, victims payed at least 40 million euros between May 2019 and March 2021.

During the simultaneous actions, German officers raided the house of a German national, who is believed to have played a major role in the DoppelPaymer ransomware group. Investigators are currently analysing the seized equipment to determine the suspect’s exact role in the structure of the ransomware group. At the same time, and despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group. The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv. During the searches, they seized electronic equipment, which is currently under forensic examination.
Europol on-site to speed up forensic analysis of seized data

On the action days, Europol deployed three experts to Germany to cross-check operational information against Europol’s databases and to provide further operational analysis, crypto tracing and forensic support. The analysis of this data and other related cases is expected to trigger further investigative activities. Europol also set up a Virtual Command Post to connect the investigators and experts from Europol, Germany, Ukraine, the Netherlands and the United States in real time and to coordinate activities during the house searches. Europol’s Joint Cybercrime Action Taskforce (J-CAT) also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

From the beginning of the investigation, Europol facilitated the exchange of information, coordinated the international law enforcement cooperation and supported the operational activities. Europol also provided analytical support by linking available data to various criminal cases within and outside the EU, and supported the investigation with cryptocurrency, malware, decryption and forensic analysis.

Leave a comment , , , , ,

CISA Launches Ransomware Warning Pilot for Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency publicly announced that it has established a pilot program to identify vulnerabilities within critical infrastructure systems that are known to be exploited by ransomware groups and threat actors.

According to CISA, the ransomware vulnerability warning pilot—or RVWP—will “identify organizations with internet-accessible vulnerabilities commonly associated with known ransomware actors by using existing services, data sources, technologies and authorities, including our free Cyber Hygiene Vulnerability Scanning service.”

The RVWP first began on 30th January when CISA contacted 93 organizations “identified as running instances of Microsoft Exchange Service with a vulnerability called ‘ProxyNotShell,’ which has been widely exploited by ransomware actors.”

“This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk reduction as we further scale the RVWP to additional vulnerabilities and organizations,” CISA said.

The pilot program was created in response to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, a 2022 law that required CISA “to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments” to the agency. CISA said the RVWP would be “coordinated by and aligned with the Joint Ransomware Task Force,” an interagency body that was also established by CIRCIA.

"Ransomware attacks continue to cause untenable levels of harm to organizations across the country, including target rich, resource poor entities like many school districts and hospitals,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a statement. “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations.”

Leave a comment , , , ,

Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities

Agency News, Cyber Security CII sector, Industry News

CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.

The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

- Train users to recognize and report phishing attempts.
- Enable and enforce phishing-resistant multifactor authentication.
- Install and regularly update antivirus and antimalware software on all hosts.

See Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities for ransomware actor’s tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

Leave a comment , , , ,

United States and Spain Announce the Development of a New Capacity Building Tool to Combat Ransomware

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the U.S. Department of State and the Spanish Ministry of the Interior, announced a joint project to develop a capacity-building tool to help countries utilize public-private partnerships (PPPs) to combat ransomware. This project was developed as part of the Second International Counter Ransomware Initiative (CRI) Summit, which was convened in Washington, D.C. The CRI is a global coalition of 36 partner nations and the European Union dedicated to confronting the scourge of ransomware.

The CRI’s Public-Private Partnership (P3) Working Group, chaired by Spain, has focused on the essential need for close collaboration between governments and the private sector to address the challenges posed by ransomware. This tool will provide much needed guidance to nations around the world seeking to develop or deepen such public-private partnerships.

“Building capacity across the world is an essential aspect of our fight against ransomware,” said Brandon Wales, CISA Executive Director. “By learning from each other—public and private sector alike—and sharing that knowledge more broadly, we can effectively protect the critical infrastructure necessary to sustain not only American society, but the global institutions and networks upon which it relies.”

“Spain has the strong conviction that this project will contribute in a decisive manner to expose the most innovative state of the art of PPP best practices to fight against ransomware, said Guillermo Ardizone Garcίa, Political Director of the Ministry of Foreign Affairs. “Thereby, all multi-stakeholders and partners involved in the CRI will be benefited from this line of action. Spain will actively encourage state and non-state stakeholders to join in this project poised to broadly share the PPP best practices, including creative financing schemes.”

When completed, the tool will feature a series of case studies of PPPs that have been used in the counter-ransomware fight, including those pioneered by members of the CRI P3 Working Group. The tool will highlight the features that made these efforts successful and will be designed to provide practical guidance to countries looking to implement their own PPPs as part of their national counter-ransomware efforts.

To develop the tool, the United States and Spain are partnering with the Global Forum on Cyber Expertise (GFCE), a global leader in cyber capacity building that will commission experts to deliver the tool. Other CRI members have been invited to provide additional financial and practical support to the project.

Leave a comment , ,

UK and allies expose Iranian state agency for exploiting cyber vulnerabilities for ransomware operations

Agency News, Cyber Security CII sector, Industry News

The UK and international allies have issued a joint cyber security advisory highlighting that cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) are exploiting vulnerabilities to launch ransomware operations against multiple sectors.

Iranian-state APT actors have been observed actively targeting known vulnerabilities on unprotected networks, including in critical national infrastructure (CNI) organisations.

The advisory, published by the National Cyber Security Centre (NCSC) − a part of GCHQ − alongside agencies from the US, Australia and Canada, sets out tactics and techniques used by the actors, as well as steps for organisations to take to mitigate the risk of compromise.

It updates an advisory issued in November 2021 which provided information about Iranian APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities.

They are now assessed to be affiliated to the IRGC and are continuing to exploit these vulnerabilities, as well as the Log4j vulnerabilities, to provide them with initial access, leading to further malicious activity including data extortion and disk encryption.

Paul Chichester, NCSC Director of Operations, said:

"This malicious activity by actors affiliated with Iran’s IRGC poses an ongoing threat and we are united with our international partners in calling it out.

“We urge UK organisations to take this threat seriously and follow the advisory’s recommendations to mitigate the risk of compromise.”

The NCSC urges organisations to follow the mitigation set out in the advisory, including:

- Keeping systems and software updated and prioritising remediating known exploited vulnerabilities
- Enforcing multi-factor authentication
- Making offline backups of your data

This advisory has been issued by the NCSC, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), US Cyber Command (USCC), Department of the Treasury (DoT), the Australian Cyber Security Centre (ACSC) and the Canadian Centre for Cybersecurity (CCCS).

Leave a comment , , , ,

French hospital forced to transfer patients following Ransomware attack

Health & Social Care, Industry News

The Centre Hospitalier Sud Francilien (CHSF) said an attack on its computer network was detected in August. The hospital has referred patients elsewhere as the cyberattack rendered various technical systems ‘inaccessible’.

The cyberattack made various systems “inaccessible” including business software, storage systems in areas such as medical imaging, and the info systems on patient admissions, according to a CHSF statement.

As a result of the attack, patients whose care requires access to the hospital’s technical systems have been redirected to other hospitals in the area. Those who present themselves to the emergency room are being evaluated by CHSF’s medical staff, and being transferred to other institutions if necessary.

The hospital, which serves an area of around 600,000 people, said that measures have been taken to care for those already hospitalised there. However, the “exceptional situation” is expected to have an impact on the operating room, as it is closely linked to the affected technical platform.

French paper Le Monde reports that a ransom of $10m was demanded by the hackers responsible.

Leave a comment , , ,

Cyber Attack on Greece’s Gas Operator

Industry News, Power/Energy/Oil & Gas sector

A group of cyber extortionists called Ragnar Locker claimed responsibility for the recent cyber-attack against the National Gas System Operator (DESFA) in Greece.

DESFA announced that it had suffered a cyber-attack on part of its IT infrastructure, which resulted in a “confirmed impact on the availability of certain systems and the possible leakage of a number of files and data.”

DESFA is responsible for the operation, management, exploitation, and development of the National Natural Gas System and its interconnections.

The statement said that IT services were proactively deactivated to limit any potential spillage and to investigate the incident while ensuring the adequate operation of the national gas supply system at all entry and exit points of the country without any complications.

The FBI has linked the Ragnar Locker group to attacks on at least fifty-two organizations and companies related to critical infrastructure in the US over the last two years.

Leave a comment , , ,

2021 Trends Show Increased Globalized Threat of Ransomware

Agency News, Cyber Security CII sector, Industry News

In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. The Australian Cyber Security Centre (ACSC) observed continued ransomware targeting of Australian critical infrastructure entities, including in the Healthcare and Medical, Financial Services and Markets, Higher Education and Research, and Energy Sectors. The United Kingdom’s National Cyber Security Centre (NCSC-UK) recognizes ransomware as the biggest cyber threat facing the United Kingdom. Education is one of the top UK sectors targeted by ransomware actors, but the NCSC-UK has also seen attacks targeting businesses, charities, the legal profession, and public services in the Local Government and Health Sectors.

Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.

This joint Cybersecurity Advisory—authored by cybersecurity authorities in the United States, Australia, and the United Kingdom—provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.

Full report can be downloaded here >>

Leave a comment , ,

Joint global ransomware operation sees arrests and criminal network dismantled

Agency News, Cyber Security CII sector, Industry News

A four-year operation across five continents has disrupted a ransomware cybercrime gang and seen the arrest of seven suspects believed to be behind global malware crime operations.

Codenamed ‘Quicksand’ (GoldDust) and carried out by 19 law enforcement agencies in 17 countries, the transcontinental operation saw officers collect and examine intelligence to establish a global threat picture about attacks by ransomware families - particularly GandCrab and Revil-Sodinokibi - and the suspects behind them.

The organized crime group that used these malwares is known for breaking into business and private networks using a range of infiltration techniques, and then deploying ransomware against their victims. The ransomware then encrypts files which are then used to blackmail companies and people into paying huge ransoms.

The suspects arrested during Operation Quicksand are suspected of perpetrating tens of thousands of ransomware infections and demanding more than EUR 200 million in ransom
Tangible results: multiple arrests worldwide

Intelligence exchanged during the operation enabled:

- Korean law enforcement to arrest three suspects in February, April and October;
- Kuwaiti authorities to arrest a man thought to have carried out ransomware attacks using the GandGrab ransomware;
- Romanian authorities to arrest two individuals suspected of ransomware cyber-attacks and believed to be responsible for 5,000 infections as well as half a million euros profit in ransom payments;
- The arrest of a man believed to be responsible for the Kaseya ransomware attack, thought to have been carried out last July by the REvil gang with more than 1,500 people and 1,000 businesses affected worldwide.

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action which INTERPOL can uniquely facilitate as a neutral and trusted global partner,” said INTERPOL Secretary General Jürgen Stock.

“Policing needs to harness the insights of the cyber security industry to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of ransomware cybercrime,” added the Secretary General.

A powerful global coalition

A joint INTERPOL-Europol operation, Quicksand was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore where stakeholders shared live intelligence in an interactive and secure environment via INTERPOL’s global network and capabilities.

Through INTERPOL’s Gateway project, INTERPOL’s private partners Trend Micro, CDI, Kaspersky Lab and Palo Alto Networks also contributed to investigations by sharing information and technical expertise.
Gateway boosts law enforcement and private industry partnerships to generate threat data from multiple sources and enable police authorities to prevent attacks.

Bitdefender supported operations by releasing tailor-made decryption tools to unlock ransomware and enable victims to recover files. These innovative tools enabled more than 1,400 companies to decrypt their networks, saving them almost EUR 475 million in potential losses.

Leave a comment , , , ,

Joint global ransomware operation sees arrests and criminal network dismantled

Agency News, Cyber Security CII sector, Industry News

A four-year operation across five continents has disrupted a ransomware cybercrime gang and seen the arrest of seven suspects believed to be behind global malware crime operations.

Codenamed ‘Quicksand’ (GoldDust) and carried out by 19 law enforcement agencies in 17 countries, the transcontinental operation saw officers collect and examine intelligence to establish a global threat picture about attacks by ransomware families - particularly GandCrab and Revil-Sodinokibi - and the suspects behind them.

The organized crime group that used these malwares is known for breaking into business and private networks using a range of infiltration techniques, and then deploying ransomware against their victims. The ransomware then encrypts files which are then used to blackmail companies and people into paying huge ransoms.

The suspects arrested during Operation Quicksand are suspected of perpetrating tens of thousands of ransomware infections and demanding more than EUR 200 million in ransom

Intelligence exchanged during the operation enabled

- Korean law enforcement to arrest three suspects in February, April and October;
- Kuwaiti authorities to arrest a man thought to have carried out ransomware attacks using the GandGrab ransomware;
- Romanian authorities to arrest two individuals suspected of ransomware cyber-attacks and believed to be responsible for 5,000 infections as well as half a million euros profit in ransom payments;
- The arrest of a man believed to be responsible for the Kaseya ransomware attack, thought to have been carried out last July by the REvil gang with more than 1,500 people and 1,000 businesses affected worldwide.

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action which INTERPOL can uniquely facilitate as a neutral and trusted global partner,” said INTERPOL Secretary General Jürgen Stock.

“Policing needs to harness the insights of the cyber security industry to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of ransomware cybercrime,” added the Secretary General.

A joint INTERPOL-Europol operation, Quicksand was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore where stakeholders shared live intelligence in an interactive and secure environment via INTERPOL’s global network and capabilities.

Through INTERPOL’s Gateway project, INTERPOL’s private partners Trend Micro, CDI, Kaspersky Lab and Palo Alto Networks also contributed to investigations by sharing information and technical expertise.
Gateway boosts law enforcement and private industry partnerships to generate threat data from multiple sources and enable police authorities to prevent attacks.

Bitdefender supported operations by releasing tailor-made decryption tools to unlock ransomware and enable victims to recover files. These innovative tools enabled more than 1,400 companies to decrypt their networks, saving them almost EUR 475 million in potential losses.

KPN, McAfee, S2W helped investigations by providing cyber and malware technical expertise to INTERPOL and its member countries.

Operation Quicksand continues to supply evidence that is feeding into further cybercrime investigations and enabling the international police community to disrupt numerous channels used by cybercriminals to launder cryptocurrency and commit ransomware crime.

With the combined global financial impact in ransom payments from ransomware families believed to be within the billions of dollars and thousands of victims worldwide, INTERPOL’s private partners and member countries work together to provide support to victims hit by the ransomware.

Research from Chainalysis found that criminals made USD 350 million in 2020 from ransomware payments, representing an increase of 311 per cent in one year. Over the same period, the average ransom payment increased by 171 per cent, according to Palo Alto Networks.

Leave a comment , , ,
1 2 3