Utah University ransom payed even with backups đźŽ­

Fighting off a ransomware attack doesn’t end up with having proper backups. Trend now changed a lot

University of Utah revealed it paid $457,059 to a ransomware gang, despite successfully restoring the school’s IT systems following the attack.

The university decided to give in because the hackers also stole some private data from the school, which they apparently threatened to leak. “After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet,” . School informed

The unnamed ransomware was able to take down the department’s servers by encrypting the information inside. Fortunately, the school restored the systems using backup copies.

The school’s investigation found that the attack only affected “0.02 percent” of the data on the servers. Nevertheless, the hackers gained access to employee and student information before encrypting the servers, so the school decided to pay up.

It’s not clear which ransomware strain was behind the attack, and how the initial infection occurred. The university filed a data breach report, indicating an attack occurred through a phishing email, which ended up affecting data on 10,000 people.

Antivirus provider Emsisoft suspects the Netwalker ransomware gang may have been behind the attack, citing how the hackers have been tied to a string of attacks on universities. Other ransomware gangs, including Maze and Revil, will also resort to stealing data from victims’ computers before encrypting the information inside.

The University of Utah says its insurance provider covered part of the ransom while the school paid the rest. “No tuition, grant, donation, state or taxpayer funds were used to pay the ransom,” it added.

The vulnerability the hackers leveraged to launch the ransomware has also been patched. However, the university says it needs to centralize the school’s IT systems to help it guard against future attacks.

Wasted locker Evasion Technique

As time goes … One after another Ransomware come and goes. Like we say it’s summer.. winter.. Rainy.. Spring seasons.. Once released it’s been a talk of town and one after another big organisation gets the hit.. paying ransoms getting the decryptors is regular now a days. But the difference is each one is getting better sophisticated than other… The teahniques used for evasion varies..

Here we see how Wasted locker used the Technique to evade security systems

WastedLocker, a ransomware strain that reportedly shut down Garmin’s operations for several days in July, is designed to avoid security tools within infected devices, according to a technical analysis from Sophos.

The ransomware abuses the Microsoft Windows memory management feature to evade detection by security software. They also found other tools within the malware designed to make it difficult to detect.

“WastedLocker … is cleverly constructed in a sequence of maneuvers meant to confuse and evade behavior-based anti-ransomware solutions,”.

Evading Security

WastedLocker and other newer strains of ransomware are increasingly being designed to avoid detection and security tools. These so-called “survival skills” allow the malware to live in the network long enough to encrypt files.

“Survival demands that static and dynamic endpoint protection struggle to make a determination about a file based on the appearance of its code, and that behavioral detection tools are thwarted in their efforts to determine the root cause of the malicious behavior,”.

WastedLocker appears to have adopted a technique similar to one used by a ransomware strain called Bitpaymer. This method of avoidance targets the Windows API functions within the memory, according to the report.

“This technique adds an additional layer of obfuscation by doing the entire thing in memory, where it’s harder for a behavioral detection to catch it,” .

In memory evasion

WastedLocker also makes it harder for behavior-based anti-ransomware tools to keep track of what is going on by using memory-mapped I/O to encrypt a file, Sophos reports. This involves transparently encrypting cached documents in memory without causing disruptions to the disk I/O, which shields it from behavior monitoring software.

The Windows memory management feature is used to increase performance by using files or applications that are read and stored in the operating system’s cached memory. To trick anti-ransomware tools, WastedLocker opens a file, caches it in memory and then closes it.

WastedLocker closes the file once it has mapped a file in memory, and the victim might mistake it as an error. But the trick works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory.

Once the data is stored in the Windows Cache Manager, WastedLocker encrypts the file’s content stored in the cache.When the data stored in the cache is modified, it will be become “dirty” so that, eventually, Windows will write the encrypted cached data back to their original files and anti-ransomware software will not detect any illegitimate process.

Ransomware families that affects ICS

A total of seven ransomware families have been found to target processes associated with operational technology (OT) software, and FireEye this week published an analysis of these pieces of malware.

Many ransomware families are designed to kill certain types of running processes. They might target security products to prevent them from blocking the attack and they can also terminate critical system processes so that they can encrypt files associated with these applications in an effort to cause disruption, which can increase the cybercriminals’ chances of getting paid by the victim.

There are two main “process kill lists” that include industrial software. One of them, which targets over 1,000 processes, is used by six ransomware families, including SNAKE (SNAKEHOSE, EKANS), DoppelPaymer, LockerGoga, Maze, MegaCortex and Nefilim. The second list, which targets 1,425 processes, has only been found to be used by the CLOP ransomware.

While the first list targets only a couple dozen ICS processes, mainly associated with the GE Proficy solution, the second list targets over 150 processes related to industrial products, including Siemens SIMATIC WinCC, Beckhoff TwinCAT, National Instruments data acquisition software, Kepware KEPServerEX, and the OPC communications protocol.

In the case of the first list, which may have been posted on an underground forum or shared by a threat actor with other groups, the termination of the targeted OT processes can result in a limited loss of view of historical process data, but it’s unlikely to prevent the victim from controlling physical processes.

In the case of the second list, only used by the CLOP ransomware, which has been tied to a Russia-linked threat group tracked as TA505, FireEye researchers believe the list has been expanded based on the attackers’ reconnaissance activity conducted in victim networks.

The group has been active since at least 2016 — possibly as early as 2014 — and based on what researchers know about it, the targeting of industrial systems is likely just another technique used to increase their chances of making money. However, the termination of OT processes targeted by CLOP is more likely to cause disruption compared to the other pieces of ransomware.

“Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision,”.

“While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups,” the cybersecurity firm added.

The operators of the CLOP ransomware have set up a website where they leak information from companies that refuse to pay up. One of their most high-profile victims is US-based pharmaceutical giant ExecuPharm.

The cybercriminals claim they will never target hospitals, nursing homes, orphanages and charitable foundations. On one hand, they threaten to leak data stolen from organizations whose systems they have hacked, and on the other hand they offer to help victims secure their systems for low fee

Hackers targetting another Hacker ! Quite interesting.

A group of hackers is fighting back against online scammers by targeting “scam” companies with ransomware and denial of service attacks.

A new ransomware called Milkman Victory was recently discovered online and the hackers behind it, who call themselves CyberWare, revealed that they created it specifically to send to scammers. In these scams, victims are told that they will receive a loan after making a payment to a company but in reality there is no loan and no way for them to get their money back.

This isn’t the first time we’ve seen hackers targeting other target groups back in March of this year, Cybereason discovered that hackers were modifying existing hacking tools by injecting a powerful remote-access Trojan into them.

Targeting scammers

As part of its new campaign against scammers, CyberWare is sending phising emails containing links to executables disguised as PDF files. The group is also conducting denial of service attacks to bring down scam company’s websites.

The MilkmanVictory ransomware is being distributed as a destructive wiper attack as it does not provide victims with a way to contact the attackers and does not save the encryption key. Instead victims receive a ransom note on their computers which reads: “Hello!, This computer has been destroyed with the MilkmanVictory Ransomware because we know you are a scammer! – CyberWare Hackers :-)”.

Apparently the new ransomware is based on hidden tear  and because of this, if a key is not saved, it can still be decrypted using brute force attacks.