Ransomware Attack on Bandai Namco

The Japanese game studio was reportedly struck by ALPHV ransomware earlier this day. The way of penetration, as well as the ransom sum, remain unknown. That is typical for BlackCat ransomware group – earlier, they kept the details of attack on University of Pisa in secret, until the university did not uncover the info by themselves. At those case, they asked for $4.5 million – a pretty average sum for the organisation of this size. However, Bandai Namco has a much bigger turnover, so the hackers may ask for twin- or triplefold bigger sum.

ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

Bandai Namco is an international video game publisher. Bandai Namco video game franchises include Ace Combat, Dark Souls, Dragon Ball*, Soulcaliber, and more. pic.twitter.com/hxZ6N2kSxl

— vx-underground (@vxunderground) July 11, 2022

Still, the penchant for secrecy in the BlackCat group is only partial. After the other successful attack, this group began publishing the leaked info soon after the target company refused to pay the ransom. Contrary to the vast majority of ransomware groups, they posted it not on the Darknet page, but in the Surface web – accessible to any user. Pretty soon the site was disabled, but the fact remains – they are not just selling the data, but also shaming their victims. Still, that may be a sophisticated way to force the company to notify about the cybersecurity incident.

About BlackCat/ALPHV group

BlackCat group is a notorious cybercriminal gang that appeared in November 2021. In June 2022, they accounted for over 30% of all ransomware attacks. These days, it splits the ransomware arena with the LockBit group – another infamous gang that has been running since 2019. Obviously, it is incorrect to call the BlackCat/ALPHV gang a newbie – a lot of analysts assume that it is just a rebranding of BlackMatter ransomware that ceased its activity in May, 2021. The latter is widely known for their attack on Colonial Pipeline, which caused a serious gas price surge on the US East Coast.

However, BlackCat as a novel gang got their own “identity”. First and foremost, they use a unique payload on Rust programming language. This language is a rare guest in malware, so their malware can easily bypass the protection mechanisms. And it successfully does that on Windows, and even on *NIX systems. Another notable element of this gang is their recruitment policy – they take only 10% of a ransom sum. In addition to hiring the hackers from REvil, DarkSide and Conti groups, that creates a quasi-team of professionals. In fact, they are still just criminals – but extremely dangerous ones.

The post Bandai Namco Hacked, ALPHV Group Claims appeared first on Gridinsoft Blog.

BlackCat/ALPHV published the leaked data

Cybercriminal groups that practice the double extortion have tried countless ways to shame their victims into paying. The latest innovation that increased the stakes comes from the ALPHV/BlackCat ransomware group. It commonly released any stolen victim data on the Darknet page. However, these days the group has begun posting the websites of individual victims on the public Internet, and the leaked data has been made available in an easy-to-search form.

This is a new but unsurprising evolution in extortion tactics. Alphv will likely use stolen email addresses to send a link to the site to impacted individuals. Other gangs have used similar strategies 2/3https://t.co/JE0V1wR2HY

— Brett Callow (@BrettCallow) June 14, 2022

The case with the luxury resort is among the first ones, but likely not the last. Hackers’ website claims to have the personal information of 1,500 resort employees and over 2,500 residents of the facility. At the top of the page there are two “Check Yourself” buttons, one for employees and one for guests. Brett Callow, a threat analyst at security firm Emsisoft, called the ALPHV’s actions a “cunning tactic” that is sure to worry their other victims.

Cybersecurity experts are surprised with what’s happening

Callow said most of the victim-shaming blogs maintained by major ransomware groups exist on obscure, slow-loading sites on the Dark Web. Users could reach those sites only with third-party software such as Tor. But the website created by the ALPHV as part of this new pressure tactic is available in the Surface Web. Hence, everyone who wants to check the information on the certain visitor is welcome. Companies are likely to be more concerned about the prospect of their data being shared this way than just being posted on an obscure Tor site whose URL almost no one knows,” Callow said. “It will piss people off and force them to react together.” Apparently, Callow alludes to the high probability of the FBI to pay attention to the gang with such sly tricks. And that is not the single case wherethe US law enforcement were going for these crooks.

It’s unclear if the ALPHV plans to apply this approach to every victim, but other recent gang victims include a US school district and city. This is most likely a test run to see if it improves the results. “We are not going to stop, our leak distribution department will do everything possible to bury your business,” the victim’s website says. “At this point, you still have a chance to maintain the safety and reputation of your hotel. We strongly encourage you to be proactive in your negotiations; you don’t have much time.”

What is BlackCat/ALPHV ransomware?

Launched in November 2021, ALPHV is perhaps most notable for its programming language – Rust. Such a choice allows them to circumvent the detection from the conventional security solutions. Additionally, that made their malware cross-platform, so it can be freely launched on Windows and any of *NIX systems. ALPHV actively recruits operators from several ransomware organizations, including REvil, BlackMatter and DarkSide, offering partners up to 90% of any ransom paid by the victim organization.

Many security experts believe that ALPHV/BlackCat is simply a rebranding of another ransomware group, Darkside, also known as BlackMatter. That gang is responsible for the 2021 Colonial Pipeline attack. This attack lead to fuel shortages and price spikes on the U.S. East Coast. That’s why, exactly, I have mentioned that the attention from law enforcement is not new for those people. Are they fearless now?

Let’s sum the things up

The fact that the ransomware group stepped up to posting the leaked info, and in particular the information about individuals, is outrageous. Even more disgusting is that they created a page for that in the surface web. Still, such a technique can turn positive for individuals whose data is leaked. Mr. Callow I have cited above supposed there may be a silver lining to this ALPHV innovation, mentioning his wife’s conversation with Cl0p ransomware gang representatives.

“On the positive side, tricks like this mean that people can find out that their personal data has been compromised. Cl0p sent a letter to my wife last year. The company that lost her data still hasn’t made the information public or notified the affected people (at least she hasn’t heard anything from the company).”

Sure, receiving the leak notification in such a manner is not a pleasant thing. But that is way better to remain unaware at all, like it happens pretty often. Who knows, maybe that case will push the stakes and force the companies to claim about the leaks as soon as they are uncovered? What a time to be alive.

The post BlackCat ransomware gang publishes leaked data on the clear web site appeared first on Gridinsoft Blog.

About BlackCat ransomware

BlackCat ransomware is not a newbie on the ransomware scene, however, it is far from its old-timers – Conti or HiddenTear. Their first activity was in November 2021, and became known for using Rust programming language in the payload. That made their malware harder to detect, and can be run on different operating systems, including Windows, FreeBSD and Linux. The distributors they sell the ransomware to seem to be pretty professional, since there are no patterns in their actions and each attack is executed differently from the other. As it is usual for the majority of modern ransomware groups, double extortion is applied. ANOZR WAY reports about 12% of attacks accounted for that ransomware in 2022 – an enormous share for such a young group.

On Monday, June 13, 2022, Microsoft published a blog detailing the BlackCat grouping. The company reviewed successful attacks against Windows and Linux devices, as well as VMWare instances. Microsoft called BlackCat (a.k.a. ALPHV) a prime example of the “hacker gig economy” as it actively offers the ransomware-as-a-service model. The Rust programming language helps groupings avoid detection by conventional security tools and creates problems for security professionals by making it difficult to reverse engineer the payload or compare it with similar ransomware. Typically, hackers infiltrate systems using stolen victim credentials and remote desktop applications.

BlackCat attacked the Italian university

On June 11th, 2022 (Saturday), the University of Pisa reported about the ransomware attack. Typically, their files were encrypted, but there were no ransom notes for the case. The ransom note appeared several days later – on June 14. Cybercriminals asked for $4.5 million ransom to be paid until June 16, 2022. That is a pretty big sum for such a small period, still not the record one. A year ago, Kaseya received a $70 million ransom demand from REvil ransomware – and that did not end well for the ransomware group. It is still not clear how exactly hackers managed to get into the corporate network, as well as will the ransom be paid at all. Neither the gang nor university representatives did not give any comments on this situation.

The BlackCat group looks ridiculous at the current state of ransomware. Some analysts compare it with the LockBit ransomware group, which is either known for its superior software base. And in the absence of any restrictions for possible targets make it possible for the group to take over the market share of other actors. Microsoft also reported about DEV-0504 and DEV-0237, two ransomware gangs using the latest software from BlackCat. Payload modification is common among ransomware-as-a-service groups, the company says, as it generates a lot more money and makes ransomware more difficult to detect.

The post BlackCat Ransomware Attacks Italian University appeared first on Gridinsoft Blog.