CYBER RANSOMS + CYBER INSECURITY

THE PROBLEM IS ONLY GETTING WORSE

In general, here's one recent report (from Axios) - then scroll down to see-and-read the latest articles published by Bleeping Computer

Illustration of a group of computers featuring chalkboards with equations on them

Illustration: Sarah Grillo/Axios

Despite the government's best efforts, squashing ransomware still remains one of U.S. cyber officials' toughest tasks.

Driving the news: During public appearances at the Aspen Cyber Summit earlier this week, government officials gave a rare glimpse into just how difficult ransomware is to fight.

What they're saying: "We’ve only seen the problem continue to get worse, even with all of the efforts we’ve made," said Paul Abbate, deputy director of the FBI, during the summit.

"Ransomware continues to happen at unacceptable levels," said Rob Silvers, the Department of Homeland Security's under secretary for strategy, policy and plans, at the event.
"We see enough attempted intrusion, and successful intrusions, every day that we're not letting our guard down even a little bit," Silvers added.

The big picture: The U.S. government has thrown all of its resources at the ransomware problem since an attack forced the Colonial Pipeline to shut down last year. But that still isn't enough to deter ransomware criminals.

State of play: In recent months, most government officials have either focused their public remarks about ransomware on the work they're doing to fight ransomware or on the success those efforts have had.

For example, National Security Agency Cybersecurity Director Rob Joyce said in May that ransomware had gone down due to a recent round of sanctions.
The White House hosted a group of 36 other governments earlier this month to discuss their counter-ransomware efforts. During an hourslong closing session, most government leaders focused on the progress their countries have made, rather than the steep road ahead.

Between the lines: A growing number of high-profile attacks in recent months — including the September attack on the L.A. Unified School District and another attack last month on CommonSpirit Health — are playing into renewed public warnings.

The Treasury Department also reported earlier this month that suspected payments to ransomware gangs have skyrocketed, totaling a new high close to $1.2 billion in 2021.

Between the lines: Ransomware gangs are constantly reinventing themselves, changing targets and building new tools to better attack victims — creating an ever-moving target for regulators and companies.

Many ransomware gangs have started putting more of an emphasis on getting victims to pay to prevent data leaks, rather than for encryption keys that will help unlock any files the ransomware seized — changing how companies respond to attacks.

The intrigue: Foreign governments have also started deploying ransomware in their attacks against one another in recent years, underscoring just how pervasive the threat has become.

Last week, Microsoft attributed a ransomware attack on Ukrainian and Polish transportation and logistics organizations to a Russian state-sponsored group known as Iridium.
Iran also launched a successful ransomware attack against the Albanian government in July.

Yes, but: The U.S. government has still made tackling the problem a priority, even if it remains an uphill battle.

During the White House's ransomware summit, each participating government pledged to not harbor ransomware criminals and to dedicate more resources to detecting and responding to the threat.
Last week, federal investigators announced that they had seized more than $3 billion worth of cryptocurrencies in a case involving a dark web marketplace, underscoring the improvements made to capturing cybercriminals' payments.

What's next: Many of those existing efforts need more resources to build capacity so they can properly tackle ransomware.

"Scale is really the name of the game at this point," said Megan Stifel, chief strategy officer at the Institute for Security and Technology, during the Aspen event."

BLEEPING COMPUTER

Lock with chains

There have been some interesting developments in ransomware this week, with the arrest of a cybercrime ring leader and reports shedding light on two new, but up-and-coming, ransomware operations.

One of the biggest stories this week is the arrest of Ukrainian Vyacheslav Igorevich Penchukov, aka 'Tank,' for his alleged role as a leader in the JabberZeus cybercrime gang that operated the Zeus malware botnet.

Penchukov is also believed to be one of the managers of the notorious Maze ransomware operation, which popularized double-extortion attacks.

Other news this week are new reports on rising ransomware operations:

Both Microsoft and SecurityScorecard released reports on the Royal Ransomware operation, which is believed to be comprised of ex-Conti members.
ASEC released a report on Dagon Locker, a rebrand of the Quantum ransomware operation.
BlackBerry warns of the expanding operations of the ARCrypter ransomware.

Finally, Ukraine says that a new Somnia ransomware is being used in attacks, CISA/FBI warned Iranian hackers breached a federal agency, and the FBI warned that Hive ransomware had made over $100 million in ransom payments.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @Ionut_Ilascu, @malwareforme, @malwrhunterteam, @DanielGallagher, @serghei, @jorntvdw, @fwosar, @LawrenceAbrams, @PolarToffee, @demonslay335, @FourOctets, @billtoulas, @VK_Intel, @BleepinComputer, @pcrisk, @Seifreed, @GeeksCyber, @BlackBerry, @ahnlab, and @MsftSecIntel.

November 13th 2022

Ukraine says Russian hacktivists use new Somnia ransomware

Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called 'Somnia,' encrypting their systems and causing operational problems.

November 14th 2022

A Technical Analysis of Royal Ransomware

Royal ransomware is a recent threat that appeared in 2022 and was particularly active during recent months. The ransomware deletes all Volume Shadow Copies and avoids specific file extensions and folders. It encrypts the network shares found in the local network as well as the local drives. A parameter called “-id” that identifies the victim and is also written in the ransom note must be specified in the command line.

Australia to consider banning paying of ransoms to cyber criminals

Australia's Home Affairs Minister Clare O'Neil on Sunday said the government would consider making illegal the paying of ransoms to cyber hackers, following recent cyber attacks affecting millions of Australians.

New Phobos ransomware variant

PCrisk found a new Phobos variant that appends the .faust extension to encrypted files and drops ransom notes named info.txt and info.hta.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .fatp and .fate extensions to encrypted files.

New Xorist ransomware variant

PCrisk found a new Xorist variant that appends the .ZeRy extension and drops a ransom note name HOW TO DECRYPT FILES.txt.

November 16th 2022

Suspected Zeus cybercrime ring leader ‘Tank’ arrested by Swiss police

Vyacheslav Igorevich Penchukov, also known as Tank and one of the leaders of the notorious JabberZeus cybercrime gang, was arrested in Geneva last month.

US govt: Iranian hackers breached federal agency using Log4Shell exploit

The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware.

DAGON LOCKER Ransomware Being Distributed

It was discovered that the DAGON LOCKER ransomware (hereinafter referred to as “DAGON”) is being distributed in Korea. It was first found through AhnLab ASD infrastructure’s suspicious ransomware behavior block history. In October, it was also reported to AhnLab as a suspicious file by a Korean organization. DAGON is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor.

New VoidCrypt variant

PCrisk found a new VoidCrypt variant that appends the .DRCRM extension and drops a ransom note named Read.txt.

New Anthraxbulletproof variant

PCrisk found a new 'Anthraxbulletproof ' ransomware based on Chaos that appends the .Anthraxbulletproof extension and drops a ransom note named read_it.txt.

November 17th 2022

Previously unidentified ARCrypter ransomware expands worldwide

A previously unknown ‘ARCrypter’ ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide.

FBI: Hive ransomware extorted $100M from over 1,300 victims

The Federal Bureau of Investigation (FBI) said today that the notorious Hive ransomware gang has successfully extorted roughly $100 million from over a thousand companies since June 2021.

DEV-0569 finds new ways to deliver Royal ransomware, various payloads

Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation.