Tag Archive for: ransomware

In cooperation with Europol and Eurojust, law enforcement agencies from seven nations have arrested in Ukraine the core members of a ransomware group linked to attacks against organizations in 71 countries.

The cybercriminals paralyzed major corporations’ operations in attacks using ransomware such as LockerGoga, MegaCortex, HIVE, and Dharma.

“After remaining undetected in the compromised systems, sometimes for months, the criminals would deploy different types of ransomware, such as LockerGoga, MegaCortex, HIVE or Dharma,” Eurojust said.

“A ransom note was then presented to the victim to pay the attackers in bitcoin in exchange for decryption keys.”

Roles within this criminal network varied significantly: some members breached IT networks, while others reportedly helped launder the cryptocurrency payments made by victims to decrypt their files.

The attackers gained access to their targets’ networks by stealing user credentials in brute force and SQL injection attacks, as well as using phishing emails with malicious attachments.

Once in, they used tools like TrickBot malware, Cobalt Strike, and PowerShell Empire to move laterally and compromise other systems before triggering previously deployed ransomware payloads.

The investigation unveiled that this organized group of ransomware affiliates encrypted more than 250 servers of major corporations, leading to losses exceeding several hundred million euros.

 

Ransomware gang arrests in Ukraine

On November 21st, coordinated raids at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia resulted in the arrest of the group’s 32-year-old mastermind and the capture of four accomplices.

Over 20 investigators from Norway, France, Germany, and the United States helped the Ukrainian National Police with the investigation in Kyiv. Europol also set up a virtual command center in the Netherlands to process the data seized during the house searches.

“With the support of the TOR special unit, law enforcement officers conducted more than 30 authorized searches in the premises and cars of the suspects in Kyiv region, as well as in Cherkasy, Rivne, and Vinnytsia regions,” the National Police of Ukraine’ Department of Cyber Police said today [automated translation].

“Computer equipment, cars, bank and SIM cards, ‘draft’ records, as well as dozens of electronic media and other evidence of illegal activities were seized. In particular, almost 4 million hryvnias and cryptocurrency assets.”

This operation follows other arrests in 2021 as part of the same law enforcement action when police detained 12 more suspects part of the same ransomware group linked to attacks against 1,800 victims in 71 countries.

As the investigation revealed two years ago, the attackers deployed LockerGoga, MegaCortex, and Dharma ransomware. They also used malware like Trickbot and post-exploitation tools such as Cobalt Strike in their attacks.

Subsequent efforts at Europol and in Norway focused on analyzing data on devices seized in Ukraine in 2021 and helped identify additional suspects arrested one week ago in Kyiv.

 

Free LockerGoga and MegaCortex ransomware decrypters

The forensic analysis also allowed Swiss authorities to develop decryption tools for the LockerGoga and MegaCortex ransomware variants in collaboration with No More Ransom partners and Bitdefender.

This international police action was initiated by French authorities in September 2019 and focuses on locating threat actors in Ukraine and bringing them to justice with the help of a joint investigation team (JIT) comprising Norway, France, the United Kingdom, and Ukraine, with financial support from Eurojust and collaborating with Dutch, German, Swiss, and U.S. authorities.

The list of participating law enforcement agencies includes:

  • Norway: National Criminal Investigation Service (Kripos)
  • France: Public Prosecutor’s Office of Paris, National Police (Police Nationale – OCLCTIC)
  • Netherlands: National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie)
  • Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
  • Germany: Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) CID Esslingen
  • Switzerland: Swiss Federal Office of Police (fedpol), Polizei Basel-Landschaft, Public Prosecutor’s Office of the canton of Zurich, Zurich Cantonal Police
  • United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI)
  • Europol: European Cybercrime Centre (EC3)
  • Eurojust

“In an unprecedented effort, law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations wreaking havoc across the world,” Europol said.

“The operation comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory.”

 

Related Articles:

The Week in Ransomware – October 20th 2023 – Fighting Back

Qilin ransomware claims attack on automotive giant Yanfeng

Ransomware attack on indie game maker wiped all player accounts

Healthcare giant Henry Schein hit twice by BlackCat ransomware

Ukraine says it hacked Russian aviation agency, leaks data

 

Link to Source

Xchanging, a subsidiary of DXC based in the UK,  was attacked with ransomware on July 4th, 2020.  Mark Hughes, senior vice president of offerings and strategic partners at DXC Technology, wrote an article in the Harvard Business Review titled “5 Lessons We Learned From Our Ransomware Attack”. Hughes explains that a message was received from the attacker with a cartoon character making an obscene hand gesture and the note:  “We have your data.  We’ve encrypted your files. If you want to negotiate, we can talk on a secure tool or chat session.”

You might think Hughes’s first move would be to strike up the negotiations with the attacker. Instead, Hughes pinpointed the systems that were accessed and quickly isolated and neutralized the threat. The average ransomware attack takes 16 days to restore back to operational functioning. On July 5th, just one day after the attack, Hughes’s team had already cleaned and restored the impacted environment, and by Monday, July 6th Xchanging was processing insurance policies again.  

Hughes’s experience can provide many valuable lessons on how to deal with ransomware but we will just review his top 5 from the article. 

Know Your Infrastructure

First, know your infrastructure.  You need to regularly apply basic software patching hygiene. Also, make sure all networks and firewalls have enterprise security tools in place as they will alert you to malicious activity. In Hughes’s ransomware attack, the hackers used “grayware” to exploit Microsoft Windows and launch malware. While the attack was not prevented, Hughes’s team was quickly alerted that something wasn’t right and they were able to identify where the network was compromised. 

Include Senior Management

Hughes’s second point is to include senior leadership from the start. The reason why you want to include senior management is that they can make critical decisions quickly. For example, in Hughes’s crisis, senior management made the decision to sever all connectivity with Xchanging systems. This involved action from IT teams in the UK and India, and as Hughes puts it “engaging leadership from those teams allowed the shutoff to happen quickly and efficiently.”

Contact Your Authorities

Step three is to engage authorities and experts early. Law enforcement and security experts have experience dealing with ransomware cases and can give ideas on how to manage the attack and get legal support. In Hughes’s case he notified law enforcement in the United States that the ransomware was programmed to send Xchanging data to website domains in the U.S. By the end of the day, he had already received a court order to take control of the attacker’s internet domains.

Don’t Pay the Ransom

Step four is to gain as much leverage as you can and don’t pay the ransom. The experts agree – don’t pay the ransom. In the U.S. and UK measures are being taken to legally enforce against paying ransoms in a cyberattack. Hughes suggests that if you do decide to negotiate a ransom with cybercriminals, bring an experienced ransom broker on board.  

 Be Transparent

And finally, be transparent. Sharing information can help keep others safe and mobilizes a whole bunch of help from those you are in contact with including colleagues, authorities, and the security community. Hughes notified the public with a news release on Sunday, July 5th, and a few weeks later to inform the public that the ransomware was contained.

Ransomware attacks can be a messy business. There is much to be learned from Hughes’s experience on how to overcome ransomware. The writer concludes that Hughes is a hero because he not only saved his company but also passed on that saving information to us. 

The best way to avoid cyberattacks is to be prepared. Small businesses are especially at risk of attack because they are like low-hanging fruit to hackers – the most vulnerable, with the least amount of security policies and practices implemented. A little prevention will save you a lot of headaches and money in the long run. 

1. Avoid phishing scams through email

Phishing is quite common. It is the practice of sending fraudulent emails professing to be a reputable person or company. For instance, a hacker might send you an email posing as a coworker. The email appears to be legitimate but it’s not. Often the perpetrator is trying to glean personal information like passwords, employee data, company credentials, or even credit card numbers.

It’s important to screen all your emails before clicking on any links or responding to them. Don’t click on links or open attachments unless you are certain about who the sender is. If it seems questionable, forward it to your IT team for them to investigate it.

2.  Avoid malware and ransomware through a virus

Viruses can infect your computer through either email or a download from the internet. Working remotely has increased the likelihood of infecting your computer with malware or ransom because those who previously worked closely with a team are now physically distanced with less communication between coworkers. You need to have a strong anti-virus strategy in place to safeguard against the potential threat. 

This is also why it’s also important to have a backup system in place. Back-ups are your plan B when your organization’s data infrastructure is eventually compromised with malware or ransomware. They provide your organization with assurance of data security and integrity.

3. Use Strong Passwords

Don’t underestimate the strength of a good password.  Although often overlooked, a good password is a first step in protecting your system. A strong password would be at least 12 to 15 characters in length and include capital and lowercase letters, and numbers. Use a new password that is long and hard to break for each of your password-protected sites. 

You can keep all these passwords securely in a password-protected keeper service.  You will only need to remember the password to enter your vault.

4. Be sure to train your employees

Your employees are your front-line defense against cybercriminals. It’s important to have them well-trained on how to spot a cyber threat. Enroll your employees in cybersecurity training, or create and regularly conduct your own training specific to your organization. There are certain trainings that are required by the industry such as PCI training requirements.       

5. Keep all your software up-to-date

Hackers are looking for holes in your software’s programming code that will allow them to infiltrate your network. Developers are continually updating their code to provide “patches” for these holes. It’s important to keep your devices up-to-date with the most current patches.  

6. Back up everything, all the time

In the best-case scenario, you need to have three copies of all your data:  the original, a backup for yourself, and an offsite copy. There are many off-site backup options that will monitor your data for changes and automatically update as changes occur. External hard drives, a separate computer, or a flash drive are all ways you can also back up your data.            

7. Become a limited user

You want to become a limited user on your computer instead of an administrator.  Administrators have the authority to install and remove software. This means if you innocently stumbled across a website that has malware on it, the malware could instantly go to work infecting your computer. “However, if you’re not your computer’s administrator, the malware won’t work. Why? Because only the administrator has the authority to make changes to your system’s software.”

8. Don’t solely rely on antivirus programs to protect you.

Antivirus programs may provide you with a false sense of security. They can’t keep up with all the threats out there. They can provide warnings and even block some malware or attacks.  Be sure to update them regularly.   

9. Don’t trust anyone.  Always think before you act.

Hackers will use your friends, family, or business to lull you away into a false sense of security. Before you click on a link or attachment from a friend take a moment to consider whether you’re expecting an email from them. Remember never to give out your account number or password.

10. Don’t become complacent about cybersecurity

Hackers are banking on you letting your guard down. Stay vigilant and assume you’re always under attack from outside threats.