Rainy Ransomware August ! Strom hit

Large-scale breaches have mushroomed in 2020, with an increase of 273% in the first quarter as compared to the previous year. Ransomware is among the most common types of attacks and is up by 90%, as per a recent report

Tricks up their Sleeves

Ransomware operators have started using memory-mapped I/O to encrypt files, making it difficult for behavior-based anti-ransomware solutions to monitor malicious activities.

WastedLocker is using this technique to encrypt cached documents in memory, without causing additional disk I/O, which can shield it from behavior-monitoring software.

Researchers have identified a new element in recent Sodinokibi (REvil) campaigns, wherein they scan compromised networks for PoS software to make additional money from payment information. Attackers might directly use the payment information to strip accounts or sell them on underground forums.

Ransomware Attackers Up the Ante
Allegedly, Maze ransomware operators have infected the network of SK Hynix, the RAM and flash memory supplier, and leaked some of the stolen files on their website as proof of the infiltration, holding the semiconductor giant to ransom.

A ransomware attack targeted the services of SnapFulfil, a cloud-based warehouse management software provider, disrupting warehouse operations for a minimum of one of its customers. The U.K-based company is working with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) to restore its systems.

Hackers accessed guest and employee data and encrypted a portion of the IT systems of one of the brands of British-American cruise operator, Carnival, in a ransomware attack.

Netwalker ransomware operators attacked Forsee Power, a lithium-ion battery systems provider, and shared a few screenshots of folders containing sensitive data as evidence of the breach on their online blog.

Brown-Forman, the makers of Jack Daniel’s, lost 1TB of corporate data at the hands of Sodinokibi ransomware. Some of the other firms that fell victim to ransomware attacks this month include Konica Minolta, SPIE group, R1 RCM, Boyce Technologies, LG, Xerox, and Canon.

While many organizations use the conventional signature-based solutions to protect their data, files, and systems, they need to take a more comprehensive approach toward security to address the threats posed by evolving ransomware. Not only endpoint security protects… Defence in depth must be maintained at a granular level to upheld the security.

PayTM fortress breached

Paytm Mall, the e-commerce arm of unicorn Paytm, has suffered a “massive” data breach and a cybercrime group has demanded ransom as it has gained unrestricted access to the platform’s entire database.

Hacker group John Wick is said to be responsible for the Paytm Mall database breach. “According to sources, the perpetrator claimed the hack happened due to an insider at Paytm Mall. The claims, however, are unverified, but possible,” the report said. The ransom demanded was pegged at 10 ETH (ether coins), equivalent to $4,000.

John Wick is a notorious hacking group or actor who broke into multiple India companies, and collected ransoms from various organisations. The actor has other aliases such as “South Korea”, “HCKINDIA”. One of the tactics used by this group is “to act” as a grey-hat hacker and offer help to companies or victims to fix their bugs, the report added.

The report comes a month after reported ransomware attack on Indiabulls Group and the hackers threatened to leak critical data owned by its group firms such as account transaction details, vouchers, letters sent to bank managers and a similar data breach. A data leak of 1.29 million users of Gurugram-based online market place LimeRoad .

Darkside ! Ransomware

Recently,DarkSide, launching customized attacks and asking for millions of dollars as ransom payout. A similarity in source code implies these threat actors could be following in the footsteps of GandCrab and REvil ransomware.

How do the actors operate?

The new ransomware operation DarkSide is attacking numerous companies, trying to gain access to an administrator account and the Windows domain controller on the breached network.

After getting inside, they harvest unencrypted data from the victim’s servers and upload it to their own devices.
According to Advanced Intel’s Vitali Kremez, DarkSide terminates various databases, office applications, and mail clients to prepare the victims’ machine for encryption.

Their ransom demands range from $200,000 to $2,000,000. Apparently, the hackers also own a leak site where they list the victim company name, breached date information, and screenshots as proof.

The hacker’s view

The DarkSide threat actors claimed to have made millions of dollars working with other well-known cryptolockers.
They stated that they were looking for a new custom product to suit their requirements, and hence they created this ransomware.

Possible connection to REvil and GandCrab
DarkSide purposely avoids infecting victims in Commonwealth of Independent States (CIS) countries. The source code to perform this action is similar to the code used in REvil and GandCrab.

Additionally, the ransom note left by REvil uses almost the same template as used by the REvil ransom note.

Ransomware on a boom

A drastic increase has been observed in ransomware attacks. One one hand, a large number of new ransomware like VHD, Ensiko, and several others have surfaced in the market

Caution must

For protection against ever-growing risks of ransomware, organizations need to guard up with extreme measures, like frequent data backups, multi-factor authentication, and the use of intrusion detection and prevention solutions.

Maze Cartel ! Expands

The Maze ransomware “cartel” is growing.

Two more ransomware gangs, Conti and SunCrypt, have apparently joined the Maze collective, which currently consists of Maze, LockBit and Ragnar Locker.

Maze operators announced the creation of a ransomware cartel that included other cybercrime gangs, which teamed up to share resources, leak victims’ data on Maze’s “news” site and extort their victims.

The Conti ransomware gang, which recently launched its own data leak site, is collaborating with Maze. “They’ve published data from a number of Maze attacks,”.

Conti may be a replacement for Ryuk, which has seen a significant dip in activity in recent weeks. It shares some of its code with Ryuk, uses the same note and also the same infrastructure, which could indicate it was created by the Ryuk team or a splinter group.

Recently,researchers came across a leak disclosure post in which Conti ransomware operators claim to have allegedly breached the Volkswagen Group.

The further expansion highlights Maze’s increasing momentum, which has claimed responsibility for several high-profile ransomware attacks in recent months. Earlier this month, a major cyberattack on technology giant Canon was believed to the latest work of the cybercriminal gang.