Tag: ransomware

Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware
News

Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware

Between 2021 and 2023, ransomware and data encryption assaults targeting government and critical infrastructure sectors worldwide have been attributed to threat actors suspected of having ties to China and North Korea. The cybersecurity companies SentinelOne and Recorded Future said in a joint report with The Hacker News that while one cluster of activity has been linked to the ChamelGang (also known as CamoFei), the second cluster overlaps with activity that has previously been linked to state-sponsored groups in China and North Korea. This includes the 2022 CatB ransomware assaults by ChamelGang against the All India Institute of Medical Sciences (AIIMS) and the Brazilian Presidency, in addition to strikes on an East Asian government and an Indian subcontinent aviation company. ...
Linux version of TargetCompany ransomware focuses on VMware ESXi
News

Linux version of TargetCompany ransomware focuses on VMware ESXi

Researchers have discovered a new Linux ransomware strain of the TargetCompany family that targets VMware ESXi installations and delivers and runs payloads via a customized shell script. The TargetCompany ransomware operation, also known as Mallox, FARGO, and Tohnichi, first surfaced in June 2021 and has been concentrating on database attacks (MySQL, Oracle, and SQL Server) against businesses mostly located in Taiwan, South Korea, Thailand, and India. The antivirus company Avast declared in February 2022 that a free decryption tool covering versions released up to that time was available. However, the gang resumed its usual activities by September, focusing on Microsoft SQL servers that were at risk of vulnerability and threatening victims with the release of stolen data over Telegr...
CISA: Black Basta ransomware breached over 500 orgs worldwide
News

CISA: Black Basta ransomware breached over 500 orgs worldwide

CISA and the FBI said today that between April 2022 and May 2024, associates of the Black Basta ransomware compromised over 500 businesses. The gang also encrypted and stole data from at least 12 out of 16 critical infrastructure sectors, according to a joint report released by the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). According to CISA, affiliates of Black Basta have attacked more than 500 private sector and critical infrastructure companies, including hospitals, across North America, Europe, and Australia. In April 2022, Black Basta became known as a ransomware-as-a-service (RaaS) operation Since then, a number of well-known victims have been compromised by its affiliates read more Black Basta ransom...
Microsoft Warns as Scattered Spider Expands from SIM Swaps to Ransomware
News

Microsoft Warns as Scattered Spider Expands from SIM Swaps to Ransomware

The widely distributed threat actor known as Scattered Spider has been seen posing as recently employed staff members in certain companies as a ruse to fit in with regular on-hire procedures, hijack accounts, and compromise establishments worldwide. The financially driven hacking group's activities were made public by Microsoft, which called the adversary "one of the most dangerous financial criminal groups," highlighting its ability to operate with ease and incorporate help desk fraud, SIM swapping, and SMS phishing into its attack model. The organization described Octo Tempest as a group of natural English-speaking threat actors with financial motivations. They are well-known for initiating extensive campaigns that heavily emphasize social engineering, adversary-in-the-middle (AiT...
ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers
News

ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers

Security experts have discovered the physical assets of a threat actor known as ShadowSyndicate, which is believed to have used seven different ransomware families in attacks over the past year. ShadowSyndicate's usage of the Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play ransomware is attributed with varying degrees of confidence by Group-IB analysts working with Bridewell and independent researcher Michael Koczwara. The threat actor may be an initial access broker (IAB), according to the researchers' conclusions, even if the data points out that ShadowSyndicate is connected to a number of ransomware activities. Based on a unique SSH fingerprint they found on 85 IP servers, the majority of which were identified as Cobalt Strike command and control machines read...
Ransomware access broker steals accounts via Microsoft Teams phishing
News

Ransomware access broker steals accounts via Microsoft Teams phishing

Microsoft claims that a ransomware group's go-to initial access broker has lately turned to Microsoft Teams phishing assaults to infiltrate corporate networks. Storm-0324, a malicious actor known to have previously used Sage and GandCrab ransomware, is the threat group responsible for this campaign's financial motivations. Additionally, after infiltrating business networks with the help of JSSLoader, Gozi, and Nymaim, Storm-0324 gave the famed FIN7 cybercrime group access. On the networks of its victims, FIN7 (also known as Sangria Tempest and ELBRUS) was detected installing Clop ransomware. In the past, it was connected to the now-defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations as well as the Maze and REvil malware read more Ransomware access broker st...
LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants
News

LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants

Threat actors are exploiting the LockBit 3.0 ransomware constructor improperly to produce new variations as a result of the disclosure of the tool last year. Russian antivirus firm Kaspersky claimed to have discovered a ransomware incursion that used a LockBit variant but had a noticeably different ransom demand process. Security researchers Eduardo Ovalle and Francesco Figurelli noted that the perpetrator of this crime chose to utilize a different ransom note with a title referring to a previously unidentified organization called NATIONAL HAZARD AGENCY. Unlike the LockBit group, which doesn't indicate the amount and uses its own communication and negotiation platform read more LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants. Stay informed with the b...
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
News

BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising

Malvertising techniques have been detected being used by threat actors connected to the BlackCat ransomware to spread fake WinSCP installers. In a report released this week, researchers from Trend Micro stated that "malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations." In this instance, the distribution utilized a webpage for the well-known open-source Windows file transfer program WinSCP. Malvertising is the practice of disseminating malware through online advertising by using SEO-poisoning techniques read more BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising. Stay one step ahead of cyber threats with ReconBee.com. Explore our comprehensive coverage of recent cyber attacks, cybersecuri...
New ransomware gang 8BASE behind surge of May attacks
News

New ransomware gang 8BASE behind surge of May attacks

According to a recent study, the number of ransomware attacks on organizations globally increased by about 25% in May, the greatest number so far this year. The increase is partially attributable to the arrival of the 8BASE gang, a new gang on the scene. May 2023 was a record-breaking month for ransomware assaults, according to a recent Cyber Threat Intelligence study report from NCC Group, one of the biggest cybersecurity consulting businesses in the world. When compared to ransomware figures from the prior month, the May surge revealed a 56% increase in attacks compared to May 2022. According to the research, a total of 436 ransomware victims were identified in May read more New ransomware gang 8BASE behind the surge of May attacks. Stay one step ahead of cyber threats with Rec...
Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency
News

Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency

According to new research, nation-state actors have joined ransomware perpetrators and cryptocurrency scammers in misusing cloud mining services to launder digital assets. Blockchain analytics company Chainalysis stated in a research published with The Hacker News that "Cryptocurrency mining is a crucial part of our industry, but it also holds special appeal to bad actors, as it provides a means to acquire money with a totally clean on-chain original source." Google Mandiant revealed earlier this month that APT43, based in North Korea, uses cloud mining and hash rental services to hide the forensic trace read more Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency. Stay one step ahead of cyber threats with ReconBee.com. Explore our comprehensive cove...