Tag: ransomware

13
Oct
2020
Posted in technology

Prominent Stages In The Evolution Of Ransomware

At its rudimentary stage, online extortion was all about bluff and did not use cryptography at all. It hinged upon screen lockers stating that the FBI caught users violating copyright or distributing NSFW content. Victims were instructed to pay a fine via a prepaid service such as MoneyPak or Ukash.

Things have changed dramatically over time. Ransomware operators rethought the range of their intended victims, switching to the enterprise as juicier prey than individuals. In recent years, they also added a data leak strategy and DDoS threats to their genre. As a result, online extortion has matured into one of today’s most detrimental cybersecurity perils.

Ransomware went pro in 2013

The first mainstream file-encrypting ransom Trojan called CryptoLocker made its debut in September 2013. It used an asymmetric 2048-bit RSA cipher to lock down data and stored the decryption keys on its command-and-control (C2) server. The size of the ransom initially amounted to $100 worth of prepaid cards or bitcoins but grew to $600 in only three months.

This campaign came to a halt in June 2014 due to a law enforcement crackdown called Operation Tovar. Although the infection was short-lived, it played its evil role by demonstrating the viability of the extortion model with cryptography at its heart.

A series of predatory programs, including CTB-Locker and CryptoWall, followed in the footsteps of CryptoLocker shortly afterward. Their makers targeted different types of operating systems and took the dodgy tactics further by hosting payment sites and C2 infrastructures on the Tor anonymity network.

Ransomware-as-a-Service

In 2016, threat actors gave their schemes another boost by launching a ransomware deployment mechanism that resembled a garden-variety affiliate marketing framework. Known as Ransomware-as-a-Service (RaaS), this approach

12
Oct
2020
Posted in software

Software AG Hit by Data-Stealing Ransomware Attack

A major German enterprise software company has become the latest tech name to suffer a likely ransomware attack featuring information theft.

IoT specialist Software AG, which claims to have over 10,000 customers and annual revenue exceeding €800m, revealed the news in a brief update late last week.

The note claimed the attack had been ongoing since Monday and had yet to be fully contained.

“Today, Software AG has obtained first evidence that data was downloaded from Software AG’s servers and employee notebooks. There are still no indications for services to the customers, including the cloud-based services, being disrupted. The company is refining its operations and internal processes continuously,” it explained on October 8.

“Software AG is further investigating the incident and is doing everything in its power to contain the data leak and to resolve the ongoing disruption of its internal systems, in particular to restart its internal systems as soon as possible which had been shut down for security reasons.”

Although the firm’s website appears to be up and running as normal, it is requesting users with support issues to email their problem and leave a number for call back, “due to technical issues with our online support system.”

Researchers MalwareHunterTeam posted on social media that the firm had been hit by the Clop variant, one which usually demands a ransom of $20 million. The group apparently claims to have swiped around a terabyte of data.

The incident is yet another sign of ransomware groups increasingly going after large enterprise targets with deep pockets. They will often perform detailed reconnaissance before striking in advanced multi-stage attacks using APT-style tactics to stay hidden while exfiltrating data and finally deploying the ransomware.

An attack on IT services giant Cognizant cost the firm an estimated $50-70m in Q2 2020, it admitted earlier

11
Oct
2020
Posted in software

German tech giant Software AG hit by Clop ransomware attack

German tech giant Software AG has been hit by a ransomware attack that caused the company to suspend services.

The attack occurred Oct. 3 and has been attributed to Clop ransomware. As is typical in a ransomware attack in 2020, the company’s files were encrypted and those behind the attack demanded a ransom payment of about $20 million or they would publish internal company data.

Software AG did not pay the ransom and, according to a report on ZDNet Friday, those behind the attack have started to publish internal company information. In one screenshot, the personal details of Software AG Chief Executive Officer Sanjay Brahmawar were published, including a scan of his passport.

The company formally disclosed the ransomware attack in a statement Oct. 5, describing it as a “malware attack.” Although its current recovery status is unknown, for now the company has as its lead story on its website “important customer information.” The statement says that “due to technical issues with our online support system, we kindly ask you to send us an email with your problem description and a number for call back.” It would appear that a week later, it’s still having issues due to the ransomware attack.

Clop ransomware and the related ransomware group have been linked to previous attacks, including data being stolen from pharmaceutical industry outsourcing company ExecuPharm in April.

“Ransomware gangs are becoming bolder and more sophisticated, going after larger and more lucrative targets with their criminal attacks,” Saryu Nayyar, chief executive officer of security and risk analytics firm Gurucul Solutions Pvt Ltd A.G., told SiliconANGLE. “Even with a complete security stack and a mature security operations team, organizations can still be vulnerable. The best we can do is keep our defenses up to date, including behavioral analytics tools that can identify new

11
Oct
2020
Posted in software

German tech giant Software AG down after ransomware attack

software-ag-logo.png

Image: Software AG

Software AG, one of the largest software companies in the world, has suffered a ransomware attack over the last weekend, and the company has not yet fully recovered from the incident.

A ransomware gang going by the name of “Clop” has breached the company’s internal network on Saturday, October 3, encrypted files, and asked for more than $20 million to provide the decryption key.

Earlier today, after negotiations failed, the Clop gang published screenshots of the company’s data on a website the hackers operate on the dark web (a so-called leak site).

The screenshots show employee passport and ID scans, employee emails, financial documents, and directories from the company’s internal network.

saoftware-ag.png

Image: ZDNet

Software AG disclosed the incident on Monday when it revealed it was facing disruptions on its internal network “due to [a] malware attack.”

The company said that services to customers, including its cloud-based services, remained unaffected and that it was not aware “of any customer information being accessed by the malware attack.” This statement was recanted in a later press release two days later, when Software AG admitted to finding evidence of data theft.

The message about the attack remained on its official website homepage all week, including today.

Software AG did not return phone calls today for additional details or comments about the incident.

A copy of the ransomware binary used against Software AG was discovered earlier this week by security researcher MalwareHunterTeam. The $20+ million ransom demand is one of the largest ransom demands ever requested in a ransomware attack.

software-ag-ransom-note.png

Image: supplied

The ID provided in this ransom note allows security researchers to view the online chats between the Clop gang and Software AG on a web portal managed by the ransomware group. At the time of writing, there is no

06
Oct
2020
Posted in technology

REvil Ransomware Gang Offers $1 Million As Part Of Recruitment Drive

The criminal group behind the REvil ransomware operation has deposited bitcoin worth $1 million on a Russian-speaking hacker website, as part of a drive to recruit more members.

Posting to a forum on the dark web, the group announced that it had deposited the $1 million to prove that it had the financial means of employing new recruits. It also announced that it’s specifically looking for new “affiliates,” who would be responsible for hacking organisations with ransomware.

The REvil ransomware group operates as part of a new breed of ‘Ransomware-as-a-Service’ (Raas) enterprises. Their core team of developers design the ransomware, while the so-called affiliates infect devices with the malware. The developers receive a 20-30% cut of the proceeds of any successful ransomware attack, while affiliates receive a 70-80% payout.

As the gang’s post explains, it’s currently looking for people with “experience and skills in penetration testing.” In other words, it’s looking for hackers.

Ransomware On The Rise

The use of ransomware has grown exponentially in recent years. One September report from cyber-security firm Bitdefender found a 715% increase over the past 12 months alone.

The impact of ransomware has also been heightened since the beginning of the coronavirus pandemic, with one recent attack targeting a firm that sells software used in clinical trials. Another ransomware attack, in Germany, resulted in a patient dying last month after she had to be moved to a hospital in another city.

The $1 million deposit provides clear insight into just how lucrative this business of disrupting computer systems really is. The REvil gang deposited bitcoins worth $1 million in an electronic wallet hosted by