1. Ransomware threats

Ransomware is the worst threat, which is unlikely to be avoided if an attack does occur. It encrypts files using unique cryptographic algorithms that are almost impossible to decrypt. Ransomware targets both single users and corporations. Ransoms range from a hundred dollars (for users) to $50 million (the enormous ransom ever paid by Acer Corporation in March 2021). There is also the practice of blackmail by disclosure, called triple extortion. Another widely used method is spamming emails. A file attached to an email – most often an MS Office document – contains a malicious macro. The macro in an office suite was initially used to increase the interactivity of the paper. Still, the large number of vulnerabilities in its mechanism makes it an excellent carrier of malware.

2. New Disguises for Malware threats

Criminals use news stories and global events to target people with malware. During the COVID-19 outbreak, scammers used the confusion and virus theme to target victims with malware. By disguising emails as important information, they trick victims into clicking a link that pushes malicious software onto their devices. In 2022, Russia-Ukraine war became a disguise for such mailing. Who knows what may appear in the future?

With time, malware authors have developed hundreds of methods to make their malware appear "new again" to evade security measures. The old methods of disguising the malware are not going anywhere, and scary banners like PORNOGRAPHIC VIRUS ALERT FROM MICROSOFT or URGENT WINDOWS UPDATE have been used for years. It should also be noted that the old disguise also fits the new infestation, so do not assume that the old only mates with the old.

3. Fleeceware

Fleeceware continues to charge users significant amounts of money despite users deleting the apps. Recent studies have documented that over 600 million Android users have downloaded “Fleeceware” on their devices in the past few years. Fleeceware is not a significant security threat to a user’s device or data. However, it is still common, and it’s a questionable practice by app developers who want to take advantage of unsuspecting users.

4. IoT Device Attacks

IoT is a large number of Internet-connected devices. This is the process of transferring data between different devices. This feature facilitates organizations’ growth and even serves customers. Organizations that want to safeguard the transmission of their data and the device through which it occurs must understand the importance of IoT cybersecurity, as most attacks are directed at this. The number of attacks on IoT devices is increasing annually, which should be considered, and a solution developed to counter this.

Additionally, many IoT devices need more storage capacity to implement proper security measures. These devices often have readily available data, including passwords and usernames, which hackers can use to access user accounts and steal sensitive information, such as banking information. Hackers can also utilize internet-based cameras and microphones to observe and communicate with people, including children, via intelligent baby monitors.

5. Social Engineering

Social engineering is one of the famous methods through which fraudsters deceive the user, manipulate him, and instill fear and urgency. Once the victim is emotionally invested, the fraudsters distort her perception. Therefore, any human error is a vulnerability that facilitates social engineering.

In this case, the hacker will begin by contacting a company or service provider and pretending to be a specific individual. Next, they’ll inquire about the victim’s story and deceive the customer support staff into divulging sensitive information. Then, they’ll utilize that information to access a person’s account and data, including payment information. This isn’t malware per se, but social engineering is a concerning trend, as it doesn’t require hackers to know coding or malware creation. Instead, all the attacker needs to do is be convincing and allow human error and complacency to benefit them with the information they need.

6. Cryptojacking

Hackers try to sneak cryptojacking malware onto a computer or mobile device by hiding it inside malicious files. This malware uses a person’s resources to “mine” cryptocurrencies like Bitcoin: it slows down the device’s performance, which prevents them from mining new coins. Because of the rising value of cryptocurrencies — specifically Bitcoin — the threat of cryptojacking malware hasn’t decreased. In January 2018, Bitcoin, valued at $39,200, was recorded. Since many cryptojacking malware attacks are profitable, cybercriminals will continue to use this malware to make significant money.

7. Artificial Intelligence (AI) Attacks

As more tools become available to developers who want to program AI scripts and software, hackers will have access to this same technology, allowing them to conduct devastating cyberattacks. Cybersecurity companies employ artificial intelligence and machine learning algorithms to help combat virus and malware threats. However, these technologies can also be used to hack devices and networks on a massive scale. In addition, cyberattacks are often costly to cybercriminals in terms of time and resources. With the increased adoption of artificial intelligence and machine learning, hackers will likely develop highly advanced and destructive AI-based malware in 2023 and beyond.

Defending Yourself from Cybercrime

Your private information, sensitive data, sentimental photos, and private messages — what’s the value to you? They’re irreplaceable. How are you combating new virus and malware threats? Many people only have essential antivirus software and possibly other cybersecurity tools to safeguard themselves. However, the truth is that most antivirus programs do not provide complete protection against new virus and malware threats; you are still susceptible to the latest threats. To ensure your device and all your data are protected, you must utilize the best antivirus software for your PC, Mac, Android, and iOS device.

The post Dangerous Virus & Malware Threats in 2023 appeared first on Gridinsoft Blog.

More Interesting Ransomware Attacks

Westrock ransomware attack

Active: January-February 2021
Damage: $269 million in idle losses
Ransom: $20 million for file recovery

Westrock, a US-based packaging producer that has leading positions in its market, was struck by a ransomware attack on January 25, 2021. The exact attack was uncovered on January 23, however, understanding what happened and giving the press release took two days. The consequences were solved by February 5, but the overall loss because of the two-week idle led to a sales loss of $189 million and operating losses of $80 million. While the corporate network was rendered defunct, the company failed to deliver 85 thousand tonnes of packaging.

AXA ransomware attack

Active: May 2021
Damage: 3TB of confidential data leaked
Ransom: undisclosed

French insurance giant, actually, its branches in Malaysia, Hong Kong, Thailand and Philippines, were struck by Avaddon ransomware on May 4, 2021. Ironically, this happened days after the company’s note about the cancellation of any coverage of ransomware-related incidents. AXA seems to keep the information about the financial impact of that case secret. However, Avaddon’s leak site contained information about 3 terabytes of data they’ve got from a company.

Cloudstar ransomware attack

Active: mid-July 2021
Damage: Over a month of idle, money losses undisclosed
Ransom: undisclosed

Cloudstar, the provider of cloud virtual desktops, was hacked on July 19, 2022. First notices of these attacks appeared on July 18, and the following day the company’s services were not available. Soon after, the company issued a press release saying about a “highly-sophisticated ransomware attack”. They did not say about any certain numbers, like money loss or ransom demanded. Even after a month of a shutdown, Cloudstar was not fully operational – as August reports on this case claim.

Bad Rabbit ransomware

Active: mid-2017 – late 2017
Damage: ~200 victims
Ransom: $280 (in Bitcoin)

Being an offspring of a noble family is always a risk to remain in the shadow of your parents. So happened to Bad Rabbit ransomware, which is based on Petya/NotPetya ransomware. First notice of this malware appeared shortly after the Petya ransomware attack we mentioned above. Possibly, the early reaction to that threat caused its low spreadness. Despite having a pretty unique spreading way – JS exploitation on the websites – it had only around 200 victims. Same as its predecessors, it was blocking access to the system, showing a ransom note instead. By the end of 2017, it completely ceased the activity.

REvil Ransomware group

Active: April 2019 – October, 2021
Damage: over 5000 victims over the globe
Ransom: ~$600,000 on average, peaking at $70 million

Along with Conti and LockBit, REvil (first known as Sodinokibi) is one of the most notorious ransomware gangs that was active during the last 3 years. Actually, its nominal shutdown in October 2021 only means disabling their Darknet infrastructure. Key actors, including Maksim Yakubets, their chief, remain free. The latter is also known for not shaming his cybercrime gains and riding different cars with a “BOP” (Russian for “thief”) number plate. Attacking companies, REvil mostly relies upon RDP vulnerabilities and network vulnerabilities. Most analysts tie codebase and threat actors to GandCrab ransomware – the group which ceased its activity in 2018. REvil group applies both double extortion tactics and RaaS operating methods. The latter makes its chiefs pretty hard to catch, despite their publicity.

HelloKitty ransomware

Active: January 2021 – now
Damage: uncalculated
Ransom: depending on the victims’ financials

It is a pretty rare case when malware receives its name for one of its elements. HelloKitty ransomware is called so for the mutex it creates in the attacked system. Still, that is not their main difference. Contrary to most cybercriminals who use well-known and trite ways like phishing or RDP breaches, they opt for a rather unpopular security violation. Their current option is Dell SonicWall firewall vulnerabilities, which allow them to break into the targeted network. Among the most famous victims of such an attack is Polish game developer CD Projekt Red. Another unusual detail about HelloKitty ransomware is adjusting their ransom sum depending on the company’s income. It may look like a good deed, but that also may be a sign that the gang analyses the leaked files in order to have detailed information about the company’s financials. Some gang members were captured in October 2021 in Ukraine, but that did not stop the gang activity.

MedusaLocker Ransomware group

Active: October 2019 – now
Damage: uncalculated
Ransom: $12,500 at average

MedusaLocker definitely refers to a Greek legend about Medusa, a female which could turn to stone anyone who meets its eyes. Such a dangerous association is complemented by a wide range of anti-detection and anti-removal methods that malware features in the infected system. Disabling security tools, modifying the registry, re-running the cryptor, scanning and encrypting connected directories – all this makes this malware even more dangerous. Spreading ways this group uses, however, cannot boast of originality – crooks use “classic” RDP breaches. Double extortion technique, pretty common for all groups, is used by MedusaLocker as well.

BitLocker Ransomware

Active: Late 2021 – now
Damage: uncalculated
Ransom: $300 – $100,000

The name of this ransomware may look familiar to users who apply some enhanced data security measures in Windows. Yes, it goes from BitLocker – the default Windows utility for disk encryption. Actually, this malware does not feature any ransomware code – it uses the BitLocker functionality to restrict users from accessing data. Such attacks are proven pretty hard to mirror, as almost no malicious code is used. Still, crooks who used this technique also managed to exploit MS Exchange vulnerabilities. This attack approach was used by different cybercrime groups, despite it was not a massive application.

BlackByte Ransomware gang

Active: July 2021 – now
Damage: ~700 companies hacked
Ransom: $200,000 – $6.5 million

BlackByte is yet another example of ransomware that tries to be the best at everything. Constant updates to both ransomware and auxiliary software made it really dangerous and prolific. In particular, this gang practices archiving the files from the attacked network before sending them to cloud storage. Another interesting thing is their switch to Golang from C#, which happened in early 2022. Still, similar to other gangs, they do not invent anything new when it comes to distribution. Typical ways for BlackByte are phishing emails and network security breaches.

Avaddon Ransomware gang

Active: February 2020 – June 11, 2021
Damage: 2934 companies hacked
Ransom: $40,000-$600,000

Only a few ransomware groups go offline because of their success. Most of the time, they’re forced to, by law enforcements or white hat hackers. Avaddon is an example of the former – they voluntarily shut down their operations after over a year of successful hacks. The biggest gem of their victims’ collection is the French insurance company AXA. The key way of spreading that this group used was email spam that contained a malicious archive. Further, they also adopted exploiting vulnerabilities in RDP and VPN connections. As a motivation for their victims to pay, they used to set a payment deadline of 10 days. Once a victim fails to pay, Avaddon operators publish the leaked data on their Darknet website.

Makop ransomware

Active: January 2020 – now
Damage: uncalculated
Ransom: $31,382 (haggling is possible)

Some ransomware developers, after acknowledging that their brainchild’s cipher is vulnerable, try to upgrade it and fix the issue. That is not the case with Makop ransomware – which uses multiple encryption techniques in a random order. Such an approach makes it nearly impossible to create a centralised solution that could possibly decipher the files. Makop, exactly, has a flaw in the way it generates the encryption keys, so there is a possibility to find a key with brute force. Could have been, actually. Another interesting detail is its ability to use several CPU threads to encrypt the files on each specific drive. Spreading ways, however, are pretty trivial – RDP vulnerabilities exploitation and email phishing became the alpha and omega of the vast majority of cyberattacks.

STOP/Djvu Ransomware family

Active: February 2018 – now
Damage: uncalculated
Ransom: $490-$980

Favourite, main threat, key threat actor upon the entire market – all these words are about STOP/Djvu ransomware. Despite having a kind of activity drop over the last 6 months, STOP ransomware did not give anyone the first place, retaining over 50% of all infections. It attacks mostly individuals and thus bears on automated spreading methods. Email spam, fake programs cracks, hacktools – they act as the most popular source for this malware. Currently, Djvu ransomware features over 600 variants – they differ by the extensions they add to the files during the encryption. This ransomware features a pretty unique anti-detection tactic: each new sample is repacked in a specific way, so it is not possible to detect it with signature-based mechanisms.

Matrix Ransomware group

Active: December 2016 – now
Damage: uncalculated
Ransom: $120,000 at average

Matrix is yet another old-timer, which has been running since late 2016. That’s an immensely long time for ransomware to run without any interruption, rebranding or restructuring. Group can boast of such a term only because of their flexibility in the rapid-changing environment. Through these 6 years, they’ve changed the spreading ways multiple times, and adjusted the exact ransomware as well. First, they managed to get into the system and expand their activity via Windows shortcuts vulnerabilities, RIG exploit kit and phishing. Currently, their option is pretty much classic – RDP vulnerabilities exploitation. The distinctive feature of this malware is its readme banners – scary and funny simultaneously.

Snatch Ransomware group

Active: late 2018 – now
Damage: over 200 companies hacked
Ransom: $2,000 – $35,000

Using references to popular movies is not typical for ransomware. But that did not stop this gang from naming themselves after Guy Ritchie’s Snatch (2000). One of their members uses the nickname BulletToothTony, and their contact email is imboristheBlade@protonmail.com. They’ve claimed about themselves openly on Darknet forums, along with searching for new affiliates there. Last time the gang became less public, preferring attacking companies to spare talks. Ransomware the Snatch group uses is written on Golang – not a very common feature that makes it harder to detect. Spreading generally relies upon RDP brute forcing, rarely – email phishing.

VoidCrypt Ransomware

Active: April 2020 – now
Damage: >800 companies attacked
Ransom: heavily depends on a victim

Some ransomware are dangerous because of their consistency and high-quality software. That’s not a story about VoidCrypt – which is dangerous because of its unpredictability. First of all, their malware is often modified, making it both hard to detect and impossible to predict its effects. Meanwhile, contacting them by email quite often gives no effect – you may receive no response at all. And in the exact message, you receive threats to increase the sum if you fail to contact them in time. Such a behaviour is embarrassing, especially because VoidCrypt generally attacks sole users. The codebase of this malware seems to see usage in numerous other ransomware samples, despite the fact that they don’t claim any relations.

Xorist Ransomware family

Active: December 2010 – now
Damage: uncalculated
Ransom: 0.05-2 BTC

This, apparently, is the oldest ransomware family that runs these days. Sure, modern variants share only a few details with the original, released in 2010. But the numerous offsprings it made during this 12-year history makes it quite hard to calculate the number of victims. The first versions of Xorist featured contacting the extorters not through email, but via SMS. It also uses a weaker cipher – AES-128 instead of the 256-bit version. Still, that didn’t bother this ransomware to be effective. The builder for this ransomware was leaked to the public, and it looks like a poorly-designed tool for skiddies. Apparently, that builder is a key for such a big number of offshoots.

HiddenTear Ransomware family

Active: August 2015 – now
Damage: uncalculated
Ransom: depends on the variant

Maybe, the oddest thing you can imagine is open-source ransomware. And here it is – HiddenTear. This malware was initially designed for educational purposes, by Turkish researcher Utku Sen. However, once its source code appeared on GitHub, crooks began using it after slight adjustments. The original variant featured the encryption of only 1 folder and used a cipher with a flaw that made it possible to brute force the key. Fixing these issues is not a hard task, thus after certain “advancement”, it was as good as full-fledged ransomware. It is used by multiple cybercrime gangs around the globe.

Dharma Ransomware family

Active: February 2016
Damage: around 1000
Ransom: average $8,620, peaking at $15,000

The first name for this ransomware was CrySiS – and it was actual until early 2017. Only then did the Dharma name come into view, that’s why you can sometimes see that it is called Dharma/CrySiS. In pretty much the same shape, it exists nowadays, in 2022, attacking primarily companies. Dharma is known for hiring inexperienced hackers – they post a lot of messages on forums regarding their recruiting program. Still, besides dealing with amateurs, they mastered RDP breaching. Typically, they get through by phishing credentials for remote connection or a simple brute force.

The post Huge Ransomware List by Gridinsoft Research – Part #2 appeared first on Gridinsoft Blog.

What is ransomware?

If you are not completely familiar with this malware type, let me remind you about it. Ransomware is malicious software that aims at ciphering the files within the attacked system. Once finished its job, it notifies the user about what happened with numerous ransom notes, pop-up windows or the like. These notes also contain information about the ways to pay the ransom. A common way for that is paying in cryptocurrency by sending it to a designated wallet. Sums vary depending on the target: individuals usually pay $500-1000, while the average ransom for corporations is around $150,000.

Ransomware does not appear out of the blue; it is created by skilled hackers who do their best by making the cipher unbreakable, and the exact malware – undetectable. Under those conditions, the ones who create ransomware rarely do the dirty job – exactly, distributing it to the victims. They grant this task to other cybercriminals, who purchase the malignant thing and manage it as they wish. Besides paying for the “product”, affiliates commit pay-offs for each successful attack – a share of the ransom they receive. This form is called “ransomware-as-a-service”, or RaaS. Needless to say that most of the risks related to possible accusations and detaining also lay upon the affiliates’ heads. Ransomware seems to give birth to a perfectly-organised cybercrime, where millions of dollars circulate each month.

Notorious Ransomware Attacks You Should Know About

What can be named an attention-worthy ransomware attack? From the perspective of an attacked victim or a company, their cases are as important as any other. But get a look from a bigger scale – and most of the cases will be pretty much the same. Here, we will review ransomware attacks that became a worldwide phenomenon and hit the headlines of newspapers.

WannaCry Ransomware attack

Active: 12-15th May 2017.
Damage: ~200,000 computers over the world; billion-dollar idle losses
Ransom: Total of $130,634 (327 payments)

WannaCry is possibly the most-known attack among the ones that have ever happened. Some say it was the first attack that rendered ransomware a real danger in the eyes of ones who learn of it. An outbreak that happened in May 2017 touched 150,000 machines on the first day. It generally targeted corporations in Russia, Ukraine, India and Taiwan. On the second day, security analysts found a way to suspend the malware execution and make it self-destruct. That seriously restricted the further spreading and fixed the victims counter at the number of around 200,000. The investigation following the attack shows that key threat actors are two North Korean citizens. They used the EternalBlue exploit to deploy ransomware. North Korean cybercrime group Lazarus – the only one in this country – did not claim responsibility.

Locky Ransomware attack

Active: 2016-2017
Damage: up to 1 million computers
Ransom: 0,5-1 Bitcoin ($275-450)

The outbreak of Locky ransomware had an extended time. Since the beginning of 2016, it has been delivering its first version, using the Necurs botnet. This network resided in both single-user computers and ones placed in corporations. Originally, malware was spread through classic email spam – with an Office document that contains malicious macros attached. Around June 2016, the botnet was shut down due to a glitch in the command centre. But soon after everything came back to normal – with even more intensive spamming. Besides almost ceased activity by the end of 2017, it still appears here and there, without any system.

Cryptolocker malware attack

Active: September 2013 – May 2014
Damage: around 70,000 machines, 42,928 BTC paid
Ransom: $400 (in Bitcoin)

Cryptolocker appears to be one of the earliest cases of a large-scale ransomware attack. After the mess created by amendments to bank regulation laws, hackers were forced to seek another way of payment, and cryptocurrencies were the best option. The distribution of this malware generally relied on malicious email attachments and extensions doubling. Victims were receiving a ZIP file, which contained what looked like a PDF file. In fact, it was an executive file with a .pdf.exe extension, and a PDF file icon attached to it. Cryptolocker ransomware is also notable for ransom sum increase if victims fail to pay within 72 hours. In 2014, a free decryption tool appeared, making this malware useless.

Petya/NotPetya

Active: June 2017
Damage: $10 billion losses
Ransom: $300

Analysts detected the first samples of this ransomware in March 2016, but its premiere happened in June of the next year. This attack is considered to be politically motivated, as the hackers who managed the attack are from Russia, and the country that suffered the most was Ukraine (over 80% of total submissions). Moreover, the attack happened at the end of Ukrainian Constitution day – a typical Russian “spoil-the-celebration” act. Still, several European countries reported the attack as well. Malware deployment was performed through the backdoor in the tax preparation software M.E.Doc, widely used in Ukrainian companies. The attack was reportedly prepared by the Russian hacking group Sandworm, however, they deny all the blames.

Conti Ransomware group

Active: Late 2019 – March 2022
Damage: over 1000 companies hacked
Ransom: average 110,000$, peaking at $25 million

Conti is yet another cybercrime gang that is tied to Russia. Contrary to numerous others who are tagged as Russian, they never deny their origins. The group started their activity in November 2019, and quickly gained the image of principleless rascals. Striking any kind of company and organisation, Conti group earned huge capital as well. At some point, their average ransom peaked at ~$1 million. Key malware spreading ways this group opted for is email spamming and RDP brute force. They actively used double extortion – when the victims should pay not only for file decryption but also for keeping the leaked data in secret. As CISA researchers say, Conti also applies a pretty unique way of RaaS implementation. Instead of collecting commission payments for each successful attack, the administration gets the entire cash flow and pays a “salary” to its hackers-for-hire.

Ryuk Ransomware gang

Active: Since 2019
Damage: total ransom amount exceeds $150 million
Ransom: $100,000 – $500,000, peaking at $5.3 millions

Its name comes from the Death Note manga character. Ryuk ransomware is believed to be operated by Russian cybercrime gangs, but there is no straightforward evidence for it. Another study describes that Ryuk may probably be operated by the aforementioned Lazarus Group. This malware bears upon TrickBot dropper in its spreading; still, crooks don’t disdain using RDP vulnerabilities. Contrary to most other groups that attack companies, it does not use double extortion technique. There are no facts of using the RaaS model either.

DarkSide Ransomware

Active: August 2020 – June 2021
Damage: 90 known victims
Ransom: $200,000 – $2 million

DarkSide gang is a representation of taking French leave. This cybercrime gang is most known for its attack upon Colonial Pipeline, which led to massive fuel supply disruptions along the entire U.S. East Coast. After that case, the FBI started an investigation of the case, and DarkSide admins hastened to claim their shutdown. Aside from that, hackers often claimed that they’re apolitical, despite researchers detecting their origins in Russia. Studies also believe that group is a spin-off from the other gang – REvil.

LockBit group

Active: September 2019 – now
Damage: 850 companies ransomed
Ransom: ~$85,000 at average

LockBit is an example of a next-generation ransomware gang. This group applies a thorough candidate pick and watches for affiliates to follow the “codex”. They declared about avoiding the attacks on critical infrastructure, government, non-profit and educational institutions. And they really do so – even if such an attack happens, they quickly retreat, giving out a decryption key for free. Gang administrators proved to be pretty talkative, giving interviews here and there, although remaining anonymous. LockBit group is also famous for its software, which provides one of the fastest file encryption and data extraction capabilities. They jokingly name themselves “postpaid pentesters”.

Magniber Ransomware

Active: Late 2017 – now
Damage: ~250 users attacked
Ransom: 0.35–0.7 BTC

Ransomware that strikes individuals rarely opts for such a sophisticated spreading way as vulnerability exploitation. Social engineering is easier and cheaper – thus way more proficient. Magniber ransomware is an exclusion that proves that fact. Despite being an old-timer – it was first seen around December 2017 – this malware barely scored a hundred victims by the beginning of 2022. Its activity is inconsistent, with numerous idle periods which may last more than 1 year. Analysts pay attention to Magniber because of its unique behaviour and attacking almost exclusively South Korean folks. In early 2022, it saw another activity spike – possibly, the biggest in its entire history. Using security breaches in the Chrome browser, it got over a hundred victims.

Cl0p ransomware

Active: September 2019 – now
Damage: >1000 victims/~$500 million in ransoms
Ransom: $80,000 – $220,000

Cl0p is an example of a sole ransomware sample used by multiple different cybercrime groups. Being the further development of CryptoMix ransomware, it has seen active usage in attacks of TA505, FIN11, UNCA2546 and UNCA2582 groups. All of them originate from Russia or Russian-speaking countries. Key method used to spread Cl0p is spear phishing that contains a malicious attachment. For a better disguise, the attached file has a certificate that legitimates it for protection systems. Along with the ransomware, the payload commonly contains an SDBOT worm that acts as stealer malware.

Egregor Ransomware gang

Active: early 2020 – February 2022.
Damage: 71 companies hacked
Ransom: averages at $700,000

Egregor made a brief, but bright show at the edge of 2021. Some analysts believe that its key actors were recruited from the Maze gang, which dissolved in October 2020. Exploiting RDP vulnerabilities, it was breaking into the networks of pretty large companies. Among their victims are K-mart retail chain and Randstad – a recruiting platform. Despite being formally shut down, the group never claimed that directly. Their last attack happened in December 2020. In February 2021, some of the group members were captured in a joint action of Ukrainian and French cyberpolice. After that, the entire gang went offline. In February 2022, one of Egregor members published the decryption keys for Maze, Sekhmet and Egregor ransomware victims. That may be not that straightforward, but a pretty clear claim about the shutdown.

Babuk Ransomware

Active: December 2020 – July 2021
Damage: ~12 companies hacked
Ransom: $100,000

Similarly to the prior gang, Babuk had a pretty short lifetime of less than a year. Still, ransomware samples that use Babuk codebase keep appearing in the wild even in 2022. The first versions that can be attributed to Babuk appeared in October 2020, but they had no name. Vasa locker was the first name for that ransomware, appearing around November 2020. Babuk name was seen in usage in December of the same year. Group was attacking primarily the companies with gross profits of over $4 million. It is notable for attacking Washington’s Metropolitan Police Department, asking for a ransom of over $4 million. Key penetration ways this group used are RDP vulnerabilities and email phishing. Its end was pretty notorious – a 17-year-old gang member leaked the administrative panel credentials and a source code, claiming he was suffering from terminal cancer and wants to “live as a human”.

Phobos Ransomware

Active: early 2019 – now
Damage: not calculated
Ransom: averaged at ~$37,000

Phobos appears to be a unique malware by different factors. It is a rare example of malware that targets both companies and individuals. Although companies they usually attack are small, they compensate for that with a number of attacks. Key spreading ways Phobos applies is email phishing and RDP exploitation for individuals and companies correspondingly. The peculiar moment about Phobos is that the same group seems to be spreading Dharma ransomware as well.

PYSA Ransomware group

Active: October 2019 – now
Damage: up to 800 companies hacked
Ransom: $347,000 at average

PYSA is an acronym that stands for “Protect your system amigo”. This, and the use of a sombrero and moustache pic on their logo on the Darknet leak site definitely refers to Mexican origins. Aiming at corporations, it uses a whole bunch of tools in order to create as a convenient environment for ransomware deployment as possible. To get into the network, crooks generally use email phishing. Because of a massive amount of manual work to do after gaining the initial access, this ransomware works in a full-manual mode.

That is roughly a half of all attacks I am willing to talk about. Consider checking out the second part of this list to be aware of even more noteworthy ransomware attacks!

The post Huge Ransomware List by Gridinsoft Research – Part #1 appeared first on Gridinsoft Blog.

1. Lack of user’s security awareness

The most critical vulnerability in any defense is the human factor. Unfortunately, it is the human factor that all phishing attacks are aimed at. In particular, it is the lack of employee training on issues such as phishing and ransomware. So about 6% of employees have never received security training. This is quite dangerous regarding employee confidence and the ability to recognize phishing attacks and act accordingly. In addition, employees should be trained to handle any unexpected emails and scams they may encounter on various platforms.

2. Cybercriminals change their focus

The availability of stolen data on the Darknet has dramatically reduced its commercial value. Fraudsters can buy payment card data so cheaply that it becomes unprofitable for those who steal and sell this information. In addition, banks have now introduced more sophisticated mechanisms to confirm transactions, and the ability to track them minimizes the effectiveness of previous schemes. In response, cybercriminals have changed tactics, seeking to make money through organizations directly through ransomware attacks. These attacks are not much more challenging for the cybercriminal, but the rewards can be much more significant. Although experts warn organizations not to pay ransoms, many victims prefer to transfer a lump sum to get their systems back online rather than face the headache of responding to incidents. Attacks such as ransomware are especially effective when information owners, fearing losing their data, will not think twice before paying the criminal’s demands.

3. Insufficient Business Impact Analysis

Some companies don’t do enough to mitigate the risks associated with phishing and malware. There is also no way to identify the weakest users who need further training. In addition, robust data backup processes are often lacking, as well as internal controls, such as double confirmation of any request for necessary actions, such as a bank transfer (which can prevent fraud by the CEO). Neglecting these processes plays into the hands of some of the most common fraud methods.

4. Good funding for criminal organizations

The enormous success that cybercriminals have achieved in recent years means that they have enough money to invest in this business. Thus, they can invest in technical resources to hone their skills. Unfortunately, this has also allowed cybercriminals to exploit new avenues of attack. For example, recently, there has been significant growth in social media. This is especially dangerous because most phishing tips refer to email scams or phone scams. Therefore, people do not always notice the methods that scammers use on social networks.

5. Relatively inexpensive tools that you can get at your disposal

You don’t have to have special skills to pull off a phishing attack. Unfortunately, the availability of phishing kits and the proliferation of ransomware as a service (RaaS) allows amateur hackers to enter the market and compete with sophisticated criminal organizations quickly. The most disturbing part of this growing trend is that even people with little or no IT experience are reaping the benefits of these easy-to-use tools. With such earning potential, it’s easy to see why criminals are drawn into such a lucrative business.

6. Malware is getting more sophisticated

The old (though still effective) technique of luring users to click on malicious links will soon be eclipsed by much more cunning and hard-to-catch tactics. Of course, attackers are in no hurry to abandon existing malware techniques right now. However, there are enough new threats that make it possible to trick even the users who know enough about cybersecurity. Session hijacking, cross-site scripting, clickjacking – not all of them are actually new, but still may evolve to the point where you cannot foresee the trick.

How to avoid phishing?

A phishing email is only the starting point for a cyber attack. Once inside, attackers deploy the next stage of the attack – ransomware or data theft. According to a data breach cost report, phishing-related data breaches cost companies an average of $4.65 million. Unfortunately, no single tool or solution can completely prevent all phishing attacks. As mentioned above, phishing is an intersection of human and technical issues, which is why it is so difficult to defend against.

A layered approach is recommended to minimize the chances of being tricked by phishing attacks, beginning with security funds to filter out malicious messages. Zero-trust security solutions prevent attackers from penetrating deeper into the system by constantly verifying users’ identities, thereby minimizing the number of people who can access sensitive information. Techniques such as multi-factor authentication help with this verification. A zero-trust strategy can save much money in the event of a breach. According to a report on the cost of data breaches, organizations with this strategy spend $1.76 million less than those that don’t use zero-trust. However, attackers are getting sophisticated; they are learning to bypass filters, so you must test them to confirm they are set up correctly.

Finally, an employee training program with real-world examples is needed. The better employees understand how the attackers can act, the more likely they will identify threats and report them. For example, suppose an employee receives and identifies a phishing email. In that case, the company should take a screenshot and analyze any alerts employees should have noticed. Well-trained and vigilant employees can prevent many phishing schemes. It is also worth paying attention to links before clicking on them. Please hover your mouse pointer over the link and leave it unmoved for about a second so that the full link appears. If you’re expecting to go to facebook.com, make sure it looks like https://www.facebook.com and not something like http://faceb00k.com.

Another thing to watch out for are domains with minor errors, such as bankfoamerica.com. This can lead you to a site that seems completely real. Alternatively, you can open your browser and go directly to the site, log in, and then check your account or site for updates on the “problem”. So, the site would be easy to find if the original email or message was legitimate.

Don’t succumb to a sense of false urgency. Suppose an email or pop-up tries to scare you into logging in quickly. In that case, threatening consequences such as permanent lockout or disconnection, don’t be in a hurry. These tactics are designed to get you to bypass common sense and relay the information before you realize what’s wrong.

The post Why Phishing is Still the Most Common Cyber Attack? appeared first on Gridinsoft Blog.

Knowing about cybersecurity threats is crucial because it livens up the safety measures. In addition, when you’re aware of what is up against you on the Internet, you understand the meaning of cybersecurity.

The following article is not a list of cybersecurity threats in a strictly scientific sense. Instead, we have gathered some of the trending phenomena from modern cyber-warfare (some of them are threats indeed) to present them in the form of an explanatory dictionary.

#1. Hacking Attacks

Any activity toward getting unauthorized access to and control over computers, data storage, online servers, websites, etc., is called “hacking”. The term is old, and hacking computer systems does not necessarily imply going online, although it mostly happens on the Internet nowadays.

Hacking cybersecurity threats may involve malicious software (malware¹) but not necessarily, since social engineering, i.e., trespassing digital security by deception, using human and not computer vulnerabilities, can be seen as a form of hacking.

Hacking started as idle entertainment but evolved into a lucrative cybercriminal industry. Counteracting potential crooks and developing anti-malware software is now an indispensable element of modern computer technology.

#2. Malware Attacks

“Malware” is a portmanteau for malicious software. There are different ways to classify unwanted programs. Some security specialists distinguish between software that does actual harm and annoying applications that can be easily detected and removed from a device by a standard procedure. Other experts consider unwanted programs and malware synonyms.

Harmful software can itself be classified according to different criteria. For example, Malware may be a file or non-file entity executed via scripts when no code is saved on the targeted device.

Malware files can be the ones that trespass the defenses of the victim system, or they can be downloaded later by the former. As for the infectious agents, these can be viruses, worms, or Trojans. Other types might emerge too, but these three are the most widespread. Besides, viruses ², which gave malware its first collective name, are obsolete nowadays. But do you know the difference between malware and virus?

The functions of malware are immense. It can collect data, destroy or tamper with it, flood users with unwanted advertising, etc. However, the vilest malware these days is arguably ransomware.

Trojan Horse (Cybersecurity Threat)

Trojan horse, or just Trojan³ is a term that describes the way malware ends up on the victim’s device. It is incorrect to say “Trojan virus,” as Trojans are essentially not computer viruses; the latter are self-replicating pieces of code. Trojans, unlike that, are shaped as “normal” files, and they do not clone themselves. What is specific about them is that users install Trojans themselves, mistaking them for what this malware tries to seem. This disguising is what gave Trojans their name (remember Odyssey’s clever way to get beyond the walls of Troy.)

When the Trojan is already “behind the enemy lines,” it can execute one of many possible functions. It can either deliver its malicious payload or download additional malware, and one doesn’t exclude the other.

#3. Ransomware Attacks

Ransomware⁴ are a kind of malware that encrypts data on the victim’s device. It provides instructions on how to pay ransom in cryptocurrency to the crooks, who promise to deliver a decryption key to the injured side in return.

Trojans usually deliver ransomware. Victims often catch this infection from email attachments, malicious links in messages, or unchecked downloads from dangerous websites. Ransomware encodes data files, such as text documents, images, and videos, after which all the encrypted files get an additional extension to their names. As a result, the user cannot read the files until they are decrypted.

Ransomware attacks have become a functioning business model for crooks within the last several years. State governments have started a real war on ransomware. The US authorities have started shutting down black markets where hackers have been selling ransomware as a service.

MedusaLocker Ransomware

MedusaLocker is classic ransomware with one mean peculiarity. Unlike the majority of ransomware operators, who would love to have the publicity of “trustworthy thieves,” racketeers behind MedusaLocker don’t give the decryption key to the victims, who pay ransom to them. Jeopardizing the whole business scheme, MedusaLocker developers are another illustration of the advice not to negotiate with the terrorist.

#4. Formjacking Cybersecurity Threat

A modern way of stealing money is to get a copy of the credit card details an unaware user inputs in a payment form, let us say, at an online shop. As the shopper confirms the credit card details, a copy of the entered data immediately goes right to the crooks. This vile procedure requires injecting a malicious JavaScript code into the third party’s payment form, usually not the website itself. Hackers can use the same technique to steal logins and passwords with the subsequent identity theft.

#5. Password Attacks

Password attacks are the sum of measures hackers may undertake to pick a password to a password-protected account or device, considering that they do not have that password and do not have any software to obtain it precisely. Therefore, password attacks are attempts to guess the password using computer powers to do it as fast as possible. The most “fair” method is a brute force attack when the machine bluntly tries all possible password variants until it guesses it.

A strong password might take thousands of years to break. But, of course, it is not about trying every value without any relation to what is being hacked. For example, There are usually sets of words and numbers that are more likely to be the correct password in every particular case. That is what the machine does: it realistically varies the entered values.

#6. Cryptojacking Malware

Since cryptocurrency strengthened its position in the world economy, hackers have been developing ways to benefit from other people’s resources. Bitcoins and other tokens are produced via mining – solving the cryptographic problems by the obtaining machine. Thus, criminals sought to enslave as many computers on the Web as possible for their remote mining farms. They found different methods for crypto-jacking (that’s what this process is called.)

The two most common ways to exploit remote machines for cryptocurrency mining are infecting them with so-called coin miners (mostly Trojans) or making them run coin-mining scripts. Precaution measures against these cybersecurity threats are known and familiar – be careful around questionable email attachments and links.

#7. Man-in-the-middle attack (MITM)

Spoofing a wi-fi networkname allows crooks to lure their victims into a network fitted with data-collecting software or even hardware. The user’s incoming and outbound traffic gets into the crooks’ possession. This spying scheme is called man-in-the-middle. It can equally serve criminals to attack a specific target or conduct identity theft of random persons, unlucky to fall into their trap.

#8. Cloud Vulnerabilities

Users consider cloud storage an excellent and convenient place to keep their data and have their hard drives back up there. That is true! But is the cloud safe? People seldom care about cloud data security because they do not expect anyone to hunt for their information. However, any company with competitors or an influential person should know that there are vulnerabilities in cloud services.

Some of them are trivial, like the absence of two-factor authentication, which can allow someone to get someone to benefit from a logged-in machine. Others involve commands written in inner script languages of the cloud services, DDoS attacks, compromising APIs, and other vulnerabilities that raise questions about the security of cloud services.

#9. Botnet Cybersecurity Threat

A botnet⁵ is a network of compromised computers that act in concert to perform various possible actions. Each botnet host is a computer with specialized software installed and running on it, usually unbeknownst to the user. Regardless of what the botnet does, the botnets, in general, are mostly vile. These networks are used for posting commentaries on social media, creating DDoS attacks, mining cryptocurrency, distributing malware, etc.

#10. Denial of Service (Dos) Attack

Denial of service Dos attack happens to a resource that is supposed to provide said service but gets overloaded by the enormous number of requests or receives crafted data that triggers the crash. This type of attack is usually undertaken against websites of business competitors, political opponents, ideological enemies, or other states’ critical resources by the cybersecurity threats from the opposing countries.

If a DoS assault involves multiple attackers (real people or a botnet), it is called distributed denial of service (DDoS.) An international hacktivist group Anonymous is well known for its capacity for quick organization of massive DDoS attacks. However, the usage of VPNs and onion routing makes tracking of attackers virtually impossible.

#11. Spam Cybersecurity Threat

Spam is a well-known practice of throwing unwanted and unneeded advertising at random users. However, if earlier spam was a type of advertising and fraud, the hackers later caught on and started using spam to spread malware. The combination of spam and malware distribution is called malspam. The difference between malspam and hacking attacks involving email is that the former is a wild distribution of dangerous attachments in random mailing sprees.

#12. Phishing Attack

Phishing is a hacking technique that does not necessarily involve malware at all! The attack’s name comes from the word “fishing,” with letters changed to distinguish it from real fishing. But the point is similar. Hackers use social engineering, in other words – skillful deception, to make victims think that people who address them are some trustworthy company or person. But it is very important not to confuse the difference between phishing and pharming!

After such a connection is established, criminals lure unaware users into providing their credentials (login, password, credit card details, etc.) Without knowing the real identity of the asker, victims can bear considerable losses up to identity theft. Therefore, education and vigilance are the best countermeasures to such attacks.

#13. Spoofing Cybersecurity Threats

Spoofing is undividable from phishing. For example, imagine someone who impersonates a police officer to make you lend him your car. That person says there is phishing, while his fake uniform and the policeman’s badge are spoofing. Likewise, email letterhead, email address, web page appearance, website address, wi-fi network name, browser shortcut and interface, and whatnot can be an object of spoofing.

Experienced users are likely to distinguish a genuine webpage from a spoofed one. There are also basic rules of Internet communication that can safeguard users from buying into deceptive baits. However, the problem is that phishing generally targets inexperienced users.

#14. SQL Injection (SQLi) Cybersecurity Threats

SQL code injection is one of the common ways of hacking websites and data-driven software. It exploits software vulnerabilities that allow a specially crafted piece of SQL code to override the intended principles of the program and grant hackers access to the data from a database to which they don’t have legal access.

The vulnerability emerges because the flaws in programming may result in SQL requests being read and executed as commands out of correct context in certain conditions. Knowing these conditions and how to exploit them makes SQL injection attack possible.

#15. Rootkit Malware Attack

Rootkits are the programs that perfectly fit the definition and popular idea of a hacking tool. Rootkits are strongly associated with malware. Cybercriminals use them to reach the data closed for the user with the current level of access. As the tool’s name reveals, it aims to provide its user with access to the very core of the system, its root.

This kind of software grants evil-doers a broad scope of opportunities: collecting information from the system, controlling the system, and masking the objects within it. Modern security software automatically clears the known rootkits attack, but it will be a problem for an average user to detect and delete.

#16. Advanced Persistent Threat (APT)

Nation-state threat actors gaining unauthorized access to computer systems and remaining undetected for a long time are designated as advanced persistent cybersecurity threats. APTs are among the most disturbing menaces in the modern digital world because they target countries’ vital industries like banks, electronic election systems, electric energy supply, etc. Moreover, being legalized in their own countries, nation-state threat actors are well-equipped, and they aim to harm , not make money like the ransomware operators. That radically distinguishes APTs from the other threats.

#17. Backdoor Attacks

A backdoor is a way of bypassing standard authentication or encryption processes in a device or a program. The item’s name in question speaks for itself; it is a vulnerability of a program, but it is left there on purpose. It allows hackers (who are, in the case of a backdoor, the very developers of the software containing it) to get quick and free access to data or even control over the system.

A backdoor is not necessarily a hacking instrument; it might be a tool for emergency troubleshooting. However, hackers use backdoors introduced via seemingly ordinary applications (in fact – Trojans) to fetch additional malware beyond the security perimeter of the operating system. Luckily, backdoors are recognizable, and anti-malware systems manage to detect them.

#18. Darknet Cybersecurity Threats

Darknet is not a cybersecurity threat, but it sounds menacing. However, it would be false to say that the darknet has no relation to cybersecurity threats. It is more of a place where designers and users of malware meet and communicate. Darknet is an anonymous overlay peer-to-peer file-sharing network (existing within the Internet) wherein connections are only established between trusted peers and via non-standard ports and protocols. Access to the darknet is only possible via special software, like Tor Browser. While the dark web is associated with illegal activity, accessing and browsing the dark web is legal. We recommend interesting useful tips for the darknet from Gridinsoft.

Darknet is associated with black markets, cybercrime, and terrorism, well-protected privacy, freedom of thought, and liberty from governmental control. Beware of these dangerous cybersecurity threats!

The post 20 Dangerous Types of Cybersecurity Threats appeared first on Gridinsoft Blog.

The document states that NASA has institutional systems that are used for the day-to-day work of employees (this includes data centers, web services, computers and networks).

NASA also has separate mission systems associated with scientific programs in the field of aeronautics, space exploration, and so on (such systems are used to control spacecraft and process scientific data).

In total, NASA owns more than 4,400 applications, more than 15,000 mobile devices, about 13,000 software licenses, about 50,000 computers and a whopping 39,000 TB of data.

The cyberattacks detected in recent years (more than 1,700 incidents were identified in 2020) were very different: brute force, email attacks, identity tampering attacks, equipment loss and theft, various web attacks and incidents involving external or removable media.

For example, in 2020, most incidents were associated with misuse, including the installation of unauthorized software or access to inappropriate materials. The number of incidents of this kind increased from 249 in 2017 to 1103 in 2020.

The report provides information on several specific incidents, including the hacking of NASA’s Jet Propulsion Laboratory in 2018, which resulted in hackers gaining access to the servers and telescopes of the Deep Space Network.

In the same year, unidentified persons stole about 500 MB of data from an unnamed mission system, compromising an external user account for this. In addition, in 2019, NASA discovered that a contractor was using its resources to mine cryptocurrency, and two Chinese citizens were charged with hacking NASA systems and stealing data.

Let me remind you that I also said that NASA staff faces exponential increase in number of hacker attacks.

The post NASA has faced 6000 cyberattacks in the past four years appeared first on Gridinsoft Blog.

According to the letter, the hackers installed a web shell in the networks of enterprises for remote access to them. The attack was detected and stopped, and the FBI initiated an investigation. The organization did not disclose the names of the enterprises.

Kruppa’s responsibilities include computer monitoring of chlorine and PH levels in tap water. According to him, he is constantly worried about intruders gaining access to the system and changing the levels of chemicals.

A similar thing almost happened earlier this year in Oldsmar, Florida. The attacker gained access to the water treatment system and raised the level of sodium hydroxide (a cleaning chemical) to dangerous levels. Fortunately, the employees of the water treatment plant managed to reduce the concentration of the hazardous substance in time.

In the aftermath of the Oldsmare incident, the Public Utilities Commission has provided advice to state businesses to strengthen cybersecurity. The commission requires large utility companies to draw up annual cybersecurity plans, but small municipal systems are not required to do so, therefore they are more vulnerable to hacker attacks.

Let me remind you that I also reported that Kansas resident charged with hacking water utility computer system.

The post FBI investigates cyberattacks on two water supply systems in Pennsylvania appeared first on Gridinsoft Blog.

The order prohibits the use of electrical equipment that was produced by the company under the control of a foreign contractor, or purchase of any equipment that poses a threat to national security.

“Additional steps are required to protect the safety, integrity, and reliability of the electrical equipment for the mass power systems used in the United States”, — Trump wrote. “In the light of these results, I declare a state of emergency in the country regarding a threat to the US mass-energy system.”

Tram, according to his statement, discovered that the unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects.

President’s order also established a task force for the protection of the power system from attacks and for the exchange of risk management information to prevent interference. The task force will include ministers of trade, defense, and national security, as well as a director of national intelligence.

Trump in his order noted that the energy system is the target for those who are “trying to commit malicious acts” against the United States, pointing out the problems associated with cyberattacks, in particular.

“A successful attack on our mass-energy consumption system will pose significant risks to our economy, human health, and safety, and will make the United States less able to act in defense of ourselves and our allies”, — Trump wrote.

Among other things, the order empowers the Secretary of Energy to identify existing electrical equipment manufactured outside the United States and to develop, together with government agencies and the private sector, strategies for isolating, monitoring, and replacing it in the future.

At the same time, it is surprising that Trump’s decree does not mention any specific countries whose hackers organize targeted cyberattacks against the United States. In Trump’s order were called no names of companies involved in criminal operations in the digital space.

For some reason, I recalled that some time ago, while searching in Google the word ‘idiot’, users got pics of Donald Trump. Coincidence?

The post Trump declared a state of emergency due to cyberattacks on US energy systems appeared first on Gridinsoft Blog.