ransomware | Breaking Cybersecurity News | The Hacker News

Microsoft on Thursday disclosed that it found a new version of the  BlackCat  ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The  Impacket tool  has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's threat intelligence team  said  in a series of posts on X (formerly Twitter). "This BlackCat version also has the  RemCom hacktool  embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment." RemCom, billed as an open-source alternative to PsExec, has been put to use by Chinese and Iranian nation-state threat actors like  Dalbit  and  Chafer  (aka Remix Kitten) to move across the victim environments in the past. Redmond said it started

An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems.  Cybersecurity firm SentinelOne said the tactics, techniques, and procedures point to the involvement of a threat actor tracked as  Bronze Starlight  (aka Emperor Dragonfly or Storm-0401), which has been linked to the use of  short-lived   ransomware families  as a smokescreen to conceal its espionage motives. "The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons," security researchers Aleksandar Milenkoski and Tom Hegel  said  in an analysis published today. It also bears noting that the campaign exhibits overlaps with an intrusion set monitored by ESET under the name  Operation ChattyGoblin . This activity, in turn, shares commonalities with a  supply chain attack  that came to light last year leveraging a troja

The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors. Monti  emerged  in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitating the tactics and tools associated with the latter, including its leaked source code. Not anymore. The new version, per Trend Micro, is a departure of sorts, exhibiting significant changes from its other Linux-based predecessors. "Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors," Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio  said . A  BinDiff analysis  has revealed that while the older iterations had a 99% similarity rate with Conti, the latest version has only a 29% similarity rate, suggesting an overhaul. Some of the crucial changes in

An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. "The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure," Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT),  said . The Russian cybersecurity company said the attack, which took place in late March 2023, was in its early stages and involved the use of DroxiDat to profile the system and proxy network traffic using the  SOCKS5 protocol  to and from command-and-control (C2) infrastructure. SystemBC  is a C/C++-based commodity malware and remote administrative tool that was  first seen in 2019 . Its main feature is to set up  SOCKS5 proxies  on victim computers that can then be used by threat actors to tunnel malicious traffic associ

Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society , including in their targeting of education and healthcare sectors. "As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware," Check Point  said  in a new report. Vice Society , tracked by Microsoft under the name Storm-0832, has a  pattern  of employing already existing ransomware binaries that are sold on criminal forums to pull off their attacks. The financially motivated gang has also been observed resorting to pure extortion-themed attacks wherein the data is exfiltrated without encrypting them. First observed in May 2023, the  Rhysida  ransomware group is known to rely on phishing attacks and Cobalt Strike to breach targets' networks and

An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023. Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin. "The threat actor uses an uncommon technique to deliver the ransom note," security researcher Chetan Raghuprasad  said . "Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file." Yashma,  first described  by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild. A notable aspect of the ransom note is its resemblance to the well-known WannaCry ransomware, possibly done so in an attempt to ob

Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal. "Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization's files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee," security researchers Lior Rochberger and Shimi Cohen  said  in a new report shared with The Hacker News. Mallox is linked to a threat actor that's also linked to  other ransomware strains , such as TargetCompany, Tohnichi, Fargo, and, most recently, Xollam. It first burst onto the scene in June 2021. Some of the prominent sectors targeted by Mallox are manufacturing, professional and legal services, and wholesale and retail. A notable aspect of the group is its pattern of exploiting poorly secured MS-SQL servers via  dictionary attacks  as

The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called  Sardonic  to deliver the  BlackCat ransomware . According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in December 2022. FIN8 is being tracked by the cybersecurity company under the name Syssphinx. Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH. The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic , which was disclosed by Bitdefender in August 2021. "The C++-based Sardonic backdoor has the ability to harvest system information and execute c

Ransomware has emerged as the only cryptocurrency-based crime to grow in 2023, with cybercriminals extorting nearly $175.8 million more than they did a year ago, according to findings from Chainalysis. "Ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June," the blockchain analytics firm  said  in a midyear crypto crime report shared with The Hacker News. "If this pace continues, ransomware attackers will extort $898.6 million from victims in 2023, trailing only 2021's $939.9 million." In contrast, crypto scams have pulled in 77% less revenue than they did through June of 2022, largely driven by the abrupt exit of  VidiLook , which paid users VDL tokens in return for watching digital ads that could then be exchanged for large rewards. So have the inflows to illicit addresses associated with malware, darknet markets, child abuse material, and fraud shops. The development, following a  declin

A developing piece of ransomware called  Big Head  is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers. Big Head was  first documented  by Fortinet FortiGuard Labs last month, when it discovered multiple variants of the ransomware that are designed to encrypt files on victims' machines in exchange for a cryptocurrency payment. "One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update," Fortinet researchers said at the time. "One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software." A majority of the Big Head samples have been submitted so far from the U.S., Spain, France, and Turkey. In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propag

Ransomware attacks are a major problem for organizations everywhere, and the severity of this problem continues to intensify. Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it. This shortened timeline poses a significant challenge for organizations trying to protect themselves against these harmful operations. BlackByte ransomware is used in the final stage of the attack, using an 8-digit number key to encrypt the data. To carry out these attacks, hackers use a powerful combination of tools and techniques. The investigation revealed that they take advantage of unpatched Microsoft Exchange Servers—an

A sophisticated stealer-as-a-ransomware threat dubbed  RedEnergy  has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages. The .NET malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities," Zscaler researchers Shatak Jain and Gurkirat Singh  said  in a recent analysis. The objective, the researchers noted, is to couple data theft with encryption with the goal of inflicting maximum damage to the victims. The starting point for the multi-stage attack is a  FakeUpdates  (aka SocGholish) campaign that tricks users into downloading JavaScript-based malware under the guise of web browser updates. What makes it novel is the use of reputable LinkedIn pages to target victims, redirecting users clicking on the website URLs to a bogus lan

Threat actors associated with the  BlackCat ransomware  have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers  said  in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer." Malvertising   refers  to the use of  SEO poisoning techniques  to spread malware via online advertising. It typically involves hijacking a chosen set of keywords (e.g., "WinSCP Download") to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages. The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a  Cobal

A ransomware threat called 8Base that has been operating under the radar for over a year has been attributed to a "massive spike in activity" in May and June 2023. "The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms," VMware Carbon Black researchers Deborah Snyder and Fae Carlisle  said  in a report shared with The Hacker News. "8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries." 8Base, according to statistics gathered by  Malwarebytes  and  NCC Group , has been linked to 67 attacks as of May 2023, with about 50% of the victims  operating  in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the U.S. and Brazil. With very little known about the operators of the ransomware, its origins remain something of a cipher. What's evident is that it has been active sinc

The U.S. Department of Justice (DoJ) on Thursday unveiled charges against a Russian national for his alleged involvement in deploying LockBit ransomware to targets in the U.S., Asia, Europe, and Africa. Ruslan Magomedovich Astamirov, 20, of Chechen Republic has been accused of perpetrating at least five attacks between August 2020 and March 2023. He was arrested in the state of Arizona last month. "Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware," the DoJ  said . Astamirov, as part of his LockBit-related activities, managed various email addresses, IP addresses, and other online accounts to deploy the ransomware and communicate with the victims. Law enforcement agencies said they were able to trace a chunk of an unnamed victim's ransom payment to a virtual currency address operated by Astam

Ransomware actors and cryptocurrency scammers have joined nation-state actors in abusing cloud mining services to launder digital assets, new findings reveal. "Cryptocurrency mining is a crucial part of our industry, but it also holds special appeal to bad actors, as it provides a means to acquire money with a totally clean on-chain original source," blockchain analytics firm Chainalysis  said  in a report shared with The Hacker News. Earlier this March, Google Mandiant  disclosed  North Korea-based APT43's use of the hash rental and cloud mining services to obscure the forensic trail and wash the stolen cryptocurrency "clean." Cloud mining services  allow users to rent a computer system and use that computer's hash power to mine cryptocurrencies without having to manage the mining hardware themselves. But according to Chainalysis, it's not just nation-state hacking crews who are leveraging such services in the wild. In one example highlighted by

The threat actors behind the  LockBit  ransomware-as-a-service (RaaS) scheme have extorted $91 million following hundreds of attacks against numerous U.S. organizations since 2020. That's according to a  joint bulletin  published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the U.K. "The LockBit ransomware-as-a-service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks," the agencies  said . LockBit, which first burst onto the scene in late 2019, has continued to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone, per statistics shared by  Malwarebytes  last week. The Russia-linked cartel has claimed responsibil