Tipalti Hacked, Roblox and Twitch are Collateral

On Saturday, December 3, 2023, ALPHV came out with quite an unusual claim. Hacker group talked about hacking into the network of Tipalti, a payment automation and accounting software provider, back in early September 2023. The text below is the quote taken from their Darknet leak site:

Thing is – the company itself did not receive any ransom note yet. The typical practice in cyberattacks is notifying the victim via ransom notes, and only then publishing info about the hack. Though not this time – as hackers say, they doubt the co will contact them back due to some specific details they discovered while being active in the network.

Another detail the hackers uncover is the involvement of an insider. Well, this is not a rare occurrence, but threat actors rarely speak openly about this. And in the context of several companies taken as collateral, this sounds more like an attempt to ruin the company’s image. That especially contrasts with the official response of the company, given to the Israeli media Calcalist.

Roblox and Twitch Fall Victim to Tipalti Hack

The worst part about this hack is that hackers managed to compromise two client companies, namely Roblox and Twitch. Actually, Roblox is not the first time a victim of a ransom hack – the same ALPHV gang hacked them in 2022. Twitch though is mentioned only in the listing title, without any further references in the text. This may be the sign of less than significant amount of data the hackers managed to leak.

At the same time, some serious threats faced towards Roblox appear in the text. Hackers say they will publish the data of more victims (supposedly other Tipalti clients) in the months to come. To avoid this from happening, both mentioned companies should pay the ransom. They either do not specify any sums and, what is more important, types of data leaked from the game developer.

Is it that dangerous?

Despite how threatening all the situation looks, I’d take it with a grain of salt. Hackers often exaggerate the total damage, especially when it comes to collateral damage. Claims about Tipalti’s clients being hacked are most likely just the attempts to scare all the involved parties and make them pay.

What is out of doubt though is hackers’ access to some of the data. In particular, they are not likely to lie about their access to the major amount of Tipalti’s data. For other companies though it is most likely some data about financial transactions – things they actually delegated to Tipalti. However, this is still not great, as such info leakage may be the reason for companies to switch to a different service.

To sum up, despite touching a whole array of companies, the hack brings the most harm to Tipalti. And mostly reputational: even if not a lot of clients’ info ended up in hackers’ hands, the fact of the leak persists. The obvious conclusion is to avoid deep integrations with such unreliable companies, just to minimize the possible damage in the case of another cyberattack.

UPD 12/05/2023

The original listing you could have seen above was changed for a more classic one, that claims Tipalti hack. However, threat actors still use the text note as a place for a post-scriptum note. Criminals disprove Roblox’ claims regarding absence of any signs of network compromise saying that they will contact them later.

At the moment, ALPHV hackers claim to be contacting the first group of Tipalti clients who got their info leaked during the hack. Though they do not contact the company itself, saying they are going to reach out to the clients first. Another interesting detail unveiled after the re-listing is the fact that no ransomware was used – they just leaked 265 gigabytes of data.

The post Tipalti, Roblox and Twitch Hacked by ALPHV/BlackCat appeared first on Gridinsoft Blog.

NortonLifeLock Hacked via MOVEit Vulnerability

The vulnerability in Progress’ MOVEit MFT solution set the whole cybersecurity community abuzz. It allowed hackers to send external login requests to the cloud SQL database. After a successful brute force in such a manner, the crooks were receiving full access to the web repository – meaning they could upload their files and manage existing ones. Despite the patch being released pretty soon after the vulnerability discovery, it was too late. Threat actors, particularly ones who stand behind Cl0p ransomware, successfully abused the vulnerability to breach into the companys’ networks.

NortonLifeLock company, the developer of a famous Norton Antivirus, appears to be hacked via this breach as well. Along with 80+ other companies, it was listed on the Cl0p’s Darknet leak site since the beginning of summer 2023. It is not clear though whether exactly MOVEit vulnerability was used, and if it was – which one of several uncovered ones was used.

What is Cl0p Ransomware?

Cl0p ransomware gang is a Russian ransomware project backed by the threat actor known under the FIN7/Sangria Tempest name. A lot of facts point at FIN7 being related to Russian external reconnaissance service (a.k.a. SVR). The gang is famous for its cheeky pick of targets, particular passion at hacking into educational institutions and heavy use of novice software vulnerabilities. Earlier this year, Cl0p ransomware was spread after the use of vulnerability in PaperCut – another MFT solution. Though, the list of all security breaches it uses is obviously far bigger.

Getting back to the Norton hack, in the note on the Darknet site, Cl0p said nothing about the negotiations. If the company refuses to pay, hackers disclose this fact and publish the leaked data. This is not the case of Norton – their record says only about the fact of the hack. The negotiation commonly takes up to several weeks – especially if the company is ready to pay, but wishes to discuss the ransom sum.

How to protect against MOVEit vulnerability?

For any cybersecurity company, being hacked is a big reputational loss. Even though Norton is not guilty of MOVEit vulnerabilities, they were hacked and potentially let the user information leak – and that is already image-busing. Though until the detailed info regarding how exactly it was hacked, and how much data is lost, it is hard to say whether the users suffer or not. And despite Norton being not entirely guilty in this situation, they could use several preventive measures that minimise the chances of zero-day vulnerability exploitation.

Probably, the best method for 0-day counteraction is using a zero-trust security solution. They have their disadvantages – particularly high resource consumption and higher access delays – but their effectiveness is exceptionally good. When set up properly, they will not allow any program to perform an action without the diligent checkup, and that is what could have stopped the Cl0p at the moment of MOVEit breach exploitation.

The post NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability appeared first on Gridinsoft Blog.

About Philadelphia Inquirer

The Philadelphia Inquirer is one of the oldest newspapers in the United States, first published in 1829 and still published today. During that time, it has won 20 Pulitzer Prizes for its journalistic achievements. Today it’s reached an audience of more than 13 million people monthly. On May 15, however, The Inquirer reported a cyberattack that forced them to shut down their computers and interrupt Sunday’s edition. So subscribers could instead follow the news via an electronic version of the paper, which was unaffected. According to the publication, this is the most serious incident since the Jan. 7-8, 1996, snowstorm.

Philadelphia Inquirer Hacked by Cuba Ransomware

Following the cyberattack report, the Inquirer had hired forensic experts from Kroll to investigate the incident. However, it’s worth noting that the cyberattack occurred days before the Philadelphia mayoral election. Initially, a spokesperson for the newspaper did not specify whether the attack was linked to Ransomware. However, judging by the fact that the stolen data later went public, this was probably the case. Apparently, the newspaper likely refused to pay the ransom.

Cuba ransomware gang claims responsibility

On May 23, a Cuba ransomware gang announced on their site that they had stolen files from the Philadelphia Inquirer computers. The criminals published all the stolen data on the own leak site in the Darknet. According to the attackers, the data include financial documents, correspondence with bank officials, balance sheets, account activity, tax documents, compensation, and source code. However, newspaper representatives did not specify whether customer data had been stolen. The same applies to the affiliation of the published data of the affected company.

Who is the Cuba ransomware gang?

Cuba ransomware was first detected in late 2019. Despite Cuban nationalist themes, intelligence suggests some Russian affiliation for the group. It’s related to the messages containing typical Russian spelling mistakes. According to the FBI, as of August 2022, Cuba ransomware had received $60 million of the 145 requested and compromised 101 organizations. In addition, the gang has been linked to attacks on Ukrainian government institutions. During this attack, phishing emails delivered ROMCOM RAT malware associated with Cuba ransomware. Gang members also used Microsoft Exchange vulnerabilities to gain initial access to corporate networks. Apparently, the gang has been out of sight since early winter 2022 and only became active again in early May 2023.

The post Philadelphia Inquirer is Struck by Cuba Ransomware appeared first on Gridinsoft Blog.

AuKill malware uses malicious device drivers to infiltrate systems. Recently, researchers from Sophos discovered an attacker using AuKill before deploying Medusa Locker ransomware and another attacker using it on an already compromised system before installing the LockBit ransomware. The trend is a response to the growing effectiveness of EDR tools, which provide security vendors with a significant advantage in spotting attacks. Threat actors are targeting the tools, causing them the most trouble.

AuKill drops a driver named PROCEXP.SYS from release version 16.32 of Process Explorer into the exact location as the legitimate version of the Process Explorer driver (PROCEXP152.sys). Once on a system, the tool abuses the legitimate driver to execute instructions to shut down EDR and other security controls on the compromised computer. Sophos has analyzed six different versions of AuKill and noticed some substantial changes with each new version. Newer versions now target more EDR processes and services for termination.

These attacks are similar to a series of incidents reported by Sophos, Microsoft, Mandiant, and SentinelOne in December. In those attacks, threat actors used custom-built drivers to disable security products on already compromised systems, leaving them open to other exploits. Like other drivers, the vulnerable Process Explorer driver that AuKill leverages has privileged access to installed systems and can interact with and terminate running processes.

The post Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR appeared first on Gridinsoft Blog.

Azov ransomware asks for Ukraine support

This ransomware took the name of a famous Ukrainian battle squadron – Azov. They are known far away from battlefields of the Russo-Ukrainian war, but mostly in a positive case. Meanwhile, Azov ransomware ciphers users’ files, giving no workable instructions to go with. Ciphered files receive .azov extension and cannot be accessed in a traditional way. Moreover, there is no decryptor tool available at the moment.

The claims like “contact ransomware analysts” look rather as an attempt to show their relation to this cybercrime. Crooks even signed the ransom note with the nickname of the one – Hasherezade. Others mentioned in the ransom note are Michael Gillespie, Vitaly Kremez, and Lawrence Abrams. However, they are not sorcerers and cannon decipher your files.

The exact malware is delivered through SmokeLoader – the backdoor that is also used to deliver STOP/Djvu ransomware and RedLine stealers. Overall, the distribution of this malware relies heavily on cracked software and keygen applications. Since there is no real way to reach Azov operators, this malware is a destructive wiper rather than ransomware. The attacked users have already begun complaining to different resources, including the analysts mentioned in the ransom note. However, the researchers do not yet know how to help the ransomware victims.

Ransomware gets politically preconceived

There’s nothing new in that some ransomware attacks have a political motivation. Russia-related group Conti was claiming responsibility for cyberattacks on governmental organizations of Western countries. Soon after the Russian war against Ukraine started, a certain number of Ukrainian hackers popped out, spreading ransomware to Russia and its allies. Still, Azov ransomware does not look like being politically biased against Russia. It is contrary to what you may think looking at its name.

Its ransom note gives several signs that its creator is Polish (or it is just an attempt to make us think so). It blames the German and US governments for giving no support to Ukraine in the current war – which is far from reality. Both countries are the biggest supplier of different goods and the biggest monetary donors. The calls to “make revolution” with a reminiscence to the “sweet times” of Merkel’s chancellorship and pre-Biden times (i.e., Trump’s presidency) draw up a clear picture. It is obvious who’s the main beneficiary of any drastic changes in the current governments of European countries and the USA. And that’s not a new trick for Russians to impersonate their rivals to spread turmoil.

The post Azov Ransomware Tries to Set Up Cybersecurity Specialists appeared first on Gridinsoft Blog.

STOP/Djvu spreads in Discord, features RedStealer

According to the latest notifications, STOP/Djvu ransomware is getting spread through the malicious spam messages in Discord. Users who pretend to send something useful and want to share a 7zip file with malware. It is ciphered, but the password is very simple – 1234. That is a pretty typical action when users share something on social networks. However, inside this package, there is an executable file of Djvu malware – probably the .vveo and .vvew variants. The threat landscape touches users from Argentina, Vietnam, Turkey, and Brazil.

New campaign spreading on Discord, distributing STOP ransomware and RedLine stealer. The file is shared as an encrypted 7zip attachment. The malware is further protected by AceCrypter and has an embedded (invalid) AVG certificate.

— Avast Threat Labs (@AvastThreatLabs) August 2, 2022

The exact file is additionally disguised – to lull the vigilance and avoid the detection of some basic anti-malware tools. It has an invalid AVG certificate embedded and AceCrypter protection, making it possible to pass the certificate-based check-ups. Such a tactic is pretty new for STOP/Djvu ransomware. Earlier, they were masking their malware by a specific repacking that required special database signatures to counteract. Is the certificate just an experimental feature or a new approach – only crooks know?

Spreading model is also worth a separate note. Before, the Djvu gang was reportedly creating fake one-day sites with torrent downloading of popular content. Popular films, sitcoms, and new games always have a suitable disguise. However, it is a common case for the group which applies a Ransomware-as-a-service scheme. One distribution team may test this spreading approach.

STOP/Djvu ransomware comes with RedLine stealer

Again, the supplementary spyware is not new for Djvu ransomware. Earlier versions of this malware were carrying the legendary Azorult spyware, which appeared in 2016. Since its adoption in 2020, STOP/Djvu group has stealthily grabbed the victims’ credentials to sell them later on the Darknet. RedLine is younger – it is active since 2020 – and has several unique features that possibly make it more desirable for the developers. Again, whether such a change is temporal or not is unclear – Azorult and RedLine have similar functionality. The worst part is that victims should still change all their passwords after the attack. Otherwise, they may uncover their accounts in social networks as a part of a botnet.

What is STOP/Djvu ransomware?

This ransomware family is worth saying several words about. After appearing in 2017, this ransomware quickly gained a large share of the ransomware arena. It aims at individual users and asks for $450-$900 for file decryption. This ransomware uses an AES-256 cipher in CFB mode and the RSA algorithm. There are several possible solutions to decrypt the files after the STOP/Djvu ransomware attack, but most rely on exploiting the offline keys. The situations when your files are ciphered with online keys are likely unsolvable – unless you pay the ransom or have your files backed up. There is also the possibility of getting your files back after the gang dissolution – but such an occasion has a pretty low possibility. STOP/Djvu gang is running for too long to cease to exist; in the worst-case scenario, it will just decrease its activity.

The post Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer appeared first on Gridinsoft Blog.

Ransomware is malware that can encrypt data in order to make money. Typically, attackers leave a ransom note. It contains instructions on how to pay them to get the decryption key. And with the advent of digital, untraceable currencies such as bitcoin, the number of attacks has increased over the past decade. Next, we’ll look at five of the most common ransomware deployments that attackers use.

Warez Sites, Torrents, and Cracked Applications

The most common places for ransomware infections are warez and torrent sites. There, people usually download pirated content or unofficial software packages that are unlikely to be verified. Hence, these questionable media are ideal places for ransomware to spread. Attackers upload their malware inside of the hacks for popular games, or movies – and advertise them as clean and safe. Trusting users download malware-infected files and, in an attempt to run them, deploy the ransomware with their own hands.

To prevent ransomware infection, avoid unofficial software repositories, warez sites, and illegal torrents! Piracy is terrible in itself. The use, distribution, and creation of hacks for the software are illegal and entail criminal liability. There is also a good chance that you will get a ransomware program on your computer instead of free software.

Phishing

Today, phishing emails are the most common method of distributing malware to hackers and government-sponsored hacker organizations. Hackers have become more masterful at creating emails that trick employees into clicking on links or downloading a file with malicious code. The old phishing emails from a Nigerian prince who wants to share part of his fortune with you (for a small fee) are far from the past. They have now been replaced by compelling emails replicating the company’s logo and branding. These phishing emails may come in many shapes, sizes, and colors, but they have one thing in common: a sense of urgency.

One sign of a phishing email is the sender’s email address. The sender may appear legitimate in most cases, such as “Microsoft-Support.” However, the associated email address is something fake, such as JohnDoe@MyDomainGotHacked.com. In attachments, hackers use standard file formats such as Word, PDF, Excel, and ZIP to make the message less suspicious. If the attachment is opened, the ransomware immediately delivers its payload by encrypting and storing the files for the hacker. Let your internal IT security team know if you receive an email and think it’s a phishing email. They will be able to evaluate it and block it if necessary. If you don’t have an internal IT security group, block it in your spam filter and delete it.

Tech Support Scams

Another seemingly no obvious way to get infected with ransomware is by cheating with technical support. This can be related to the previous point, but it is better to mention it separately. In this case, scammers target vulnerable populations, such as the elderly. They trick the victim into giving them remote access to their computer, then launch an attack. There have been known cases where tech support scammers have carried out attacks without even using actual ransomware. Instead, they have used Syskey. This Windows NT component encrypts the Security Account Manager (SAM) database using a 128-bit RC4 encryption key. Decades later, Syskey was removed in Windows 10 because it was abused in ransomware attacks, and its cryptography became insecure as technology evolved.

Remote Desktop Protocol (RDP)

One way to deploy Ransomware can be the RDP protocol. RDP usually initiates requests on port 3389. This port can become a gateway for ransomware attacks if it is open. Attackers use port scanners to find systems on the Internet with open ports. Once the systems are identified, they will try to use brute force attacks to log in as an administrator. Since Microsoft Windows is used in over 90% of the world’s countries, criminals have plenty of opportunities to steal data, especially from small businesses. Fortunately, this problem is solvable, and there are several steps you can take to protect RDP endpoints.

Drive-by Downloads From a Compromised Website

Another way in which attackers can deliver ransomware is drive-by downloads. These malicious downloads are performed without the user’s knowledge when they visit a compromised website. Attackers often exploit known vulnerabilities in the software of legitimate websites to initiate drive-by downloads. Then they use these vulnerabilities to inject malicious code into a site or redirect the victim to another site that they control and that hosts exploit kits. They allow hackers to silently scan the visited device for specific weaknesses and, if detected, execute the code in the background without the user pressing a button. The unsuspecting user is suddenly confronted with a ransom note warning him of the infection and demanding that he pay to gain access to the files.

At first glance, this may seem like something found only on small, obscure sites, but it is not. Drive-by downloads are not limited to little-known sites. They occur on some of the most popular sites in the world, including the New York Times, BBC, and NFL. All of them have been attacked by ransomware through hijacked ads. Also among the popular ransomware programs exploiting victims through drive-by downloads are the following:

Conclusion

Ransomware has become a favorite way for cybercriminals to generate revenue. It is easy to buy on the darknet through the Ransomware-as-a-Service (RaaS), and attacks are relatively easy to launch using one of the above methods. Therefore, organizations need to be aware of how attacks can target their systems and to proactively take steps as part of a layered approach to security to protect themselves and ensure business continuity. The easiest way to become a victim of ransomware is to not be proactive in your defense strategy. Attackers often choose low-hanging fruit, relying on human error and sophisticated software to spread the infection. So don’t underestimate the importance of self-education about the latest malware trends and how to bolster your system’s defenses.

Gridinsoft has been stopping ransomware attacks for years to ensure business continuity and productivity. Try Ransomware Protection, a protection tool for Windows, to detect and protect against destructive attacks.

The post Methods Hackers Use to Infect You Ransomware appeared first on Gridinsoft Blog.

U2K ransomware (U2K files encrypted) – what happened?

Numerous analysts report the analysts about the new ransomware variant stomping the users’ devices. It likely uses the same distribution methods as most of other ransomware families – via software cracks and dubious tools, spread through the torrent downloadings. Still, there are no details about the spreading way, since the threat is only 4 days old. However, it already struck over 10 thousand users – an enormous number for a no-name ransomware. There are several similarities with the other ransomware variant that does not belong to any family – MME ransomware – but it was far from being so widespread.

The other ransomware variant that was dominating the ransomware market in recent years – STOP/Djvu – was pushed down at the moment, as its latest HHEW variant barely scored 5k infections. Such news is overwhelming, since Djvu ransomware was a complete monopolist among ransomware groups that attack individual users. It accounted for over 70% of all attacks on single users, and such a high share was constant for over 2 years.

U2K files – how to decrypt them?

Currently, cybersecurity analysts consider that there is no free way to decrypt the files after the U2K ransomware attack. It likely uses the AES ciphering algorithm, typical for other ransomware. Even if it has certain flaws that make it possible to decrypt it, it will take a certain amount of time to uncover these breaches and make them exploitable. As of now, neither brute force nor decryption tools can do anything with the encrypted files. If there are no breaches in the AES mode crooks applied in the ransomware, it will take millions of years to find a key with brute force.

After finishing the encryption process, this malware adds to each file its specific extension (.U2K) and leaves a ransom note on the desktop. In the ReadMe.txt file, the victim will see the link that leads to the Darknet page. Other rows ensure that there is no way to get the files back, and all the victim has to do is to contact the crooks to agree to the payment. The full contents of the ransom note are the following:

Red Stealer comes together with U2K ransomware

Analysts who had a look at U2K ransomware file notice that there is a stealer malware that goes together with the main payload. This tactic is not new, as most of the modern ransomware examples do the same. In particular, STOP/Djvu ransomware brings Azorult spyware to steal the victim’s credentials. Having the spyware or stealer in the bundle does not always mean the double extortion – the credentials hackers receive will then be used directly to hijack your accounts in social networks. Hackers don’t notify you about that, and don’t give you a chance to buy-off your login info.

The ransom size is likely individual for each victim. Crooks name the sum after the conversation on the Darknet site, where you should create the ticket (like in the tech support) and wait for the response. That is not typical for the rascals who aim at individuals as well, since communication through the Darknet is a prerogative of the groups that aim at corporations. For the latter it is essential since the ransom sum is obviously unique for every hacked company, and haggling is allowed. Among gangs that attack individuals, only Magniber ransowmare practices this trick.

How to protect yourself?

Ransomware is considered one of the most dangerous viruses nowadays. It is better to avoid it at all rather than getting ready to solve the post-attack issues. Fortunately, it uses pretty straightforward delivery methods when it tries to break into the sole users’ PCs. Still, it will be much better to have all measures taken regardless of the possibility of the attack.

• Don’t use software cracks and dubious tools. These two are probably the most popular malware spreading ways, and the longest lasting ones. Malicious applications can have different disguises, but most often they hide under the guise of the apps that ask you to disable the antivirus to be installed.
• Avoid the offers on forums. You can sometimes find extremely generous offers on different forums – like a free key for the certain application. When you are not sure about the personality of this user, it is better to avoid such offers. It is especially recommended when you visit that forum for the first time, searching for the solution of the problem.
• Use anti-malware software. A proper anti-malware program will stop even the newest ransomware variant with the heuristic engine. It will also prevent you from getting into traps of this kind. GridinSoft Anti-Malware is a great security program that can protect you from several directions.
• Apply using advanced backup tools. Most of the ransomware variants can disable the general backup utilities, like System Restore, Onedrive or Volume Shadow Copy. However, it is useless against the copies of important files on the removable drive, or when you store the backup on the cloud storage.

The post U2K Ransomware Strikes, Thousands Of Victims appeared first on Gridinsoft Blog.

Ransomware Attack on Bandai Namco

The Japanese game studio was reportedly struck by ALPHV ransomware earlier this day. The way of penetration, as well as the ransom sum, remain unknown. That is typical for BlackCat ransomware group – earlier, they kept the details of attack on University of Pisa in secret, until the university did not uncover the info by themselves. At those case, they asked for $4.5 million – a pretty average sum for the organisation of this size. However, Bandai Namco has a much bigger turnover, so the hackers may ask for twin- or triplefold bigger sum.

ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

Bandai Namco is an international video game publisher. Bandai Namco video game franchises include Ace Combat, Dark Souls, Dragon Ball*, Soulcaliber, and more. pic.twitter.com/hxZ6N2kSxl

— vx-underground (@vxunderground) July 11, 2022

Still, the penchant for secrecy in the BlackCat group is only partial. After the other successful attack, this group began publishing the leaked info soon after the target company refused to pay the ransom. Contrary to the vast majority of ransomware groups, they posted it not on the Darknet page, but in the Surface web – accessible to any user. Pretty soon the site was disabled, but the fact remains – they are not just selling the data, but also shaming their victims. Still, that may be a sophisticated way to force the company to notify about the cybersecurity incident.

About BlackCat/ALPHV group

BlackCat group is a notorious cybercriminal gang that appeared in November 2021. In June 2022, they accounted for over 30% of all ransomware attacks. These days, it splits the ransomware arena with the LockBit group – another infamous gang that has been running since 2019. Obviously, it is incorrect to call the BlackCat/ALPHV gang a newbie – a lot of analysts assume that it is just a rebranding of BlackMatter ransomware that ceased its activity in May, 2021. The latter is widely known for their attack on Colonial Pipeline, which caused a serious gas price surge on the US East Coast.

However, BlackCat as a novel gang got their own “identity”. First and foremost, they use a unique payload on Rust programming language. This language is a rare guest in malware, so their malware can easily bypass the protection mechanisms. And it successfully does that on Windows, and even on *NIX systems. Another notable element of this gang is their recruitment policy – they take only 10% of a ransom sum. In addition to hiring the hackers from REvil, DarkSide and Conti groups, that creates a quasi-team of professionals. In fact, they are still just criminals – but extremely dangerous ones.

The post Bandai Namco Hacked, ALPHV Group Claims appeared first on Gridinsoft Blog.

What is Ryuk Ransomware?

Ryuk ransomware is malware that hackers attack their targets with, infecting systems and encrypting data files. Then the malefactors keep the victim’s data inaccessible until a ransom is paid. The malware is named after the famous manga character from the movie Death Note, wherein “Ryuk” was the name of a god of death who killed victims selectively. The Ryuk ransomware virus attacked businesses, governments, and public institutions such as hospitals and schools. Ryuk, like any ransomware, can bring devastating consequences, especially for organizations with critical digital assets. It is especially true for hospitals that rely on electronic files to provide accurate medications or remotely managed energy or water facilities. When it comes to Ryuk attacks, vulnerable targets are never overlooked. Thus, cybercriminals have recently doubled their ruthless attacks.

Read Also: What is Ransom:Win32/Ryuk.AA infection? Ransom:Win32/Ryuk.AA distribution networks.

History of Ryuk Ransomware

Ryuk’s first appearance was in August 2018, when it encrypted files of hundreds of small municipalities, logistics companies, and technology firms worldwide. Although it was the first public appearance of the Ryuk ransomware virus, cybersecurity experts found a link between its code structures and a strain of the Hermes ransomware virus discovered earlier in 2017. Ryuk ransomware threat became especially alarming in 2021. A new variant with Internet-worm-like capabilities, which can spread between computers and systems without human involvement, has emerged. It accelerated the attack chain and made it easier for hackers to bring down entire networks.

Ryuk’s Spread Methods

Ryuk attacks most often begin with phishing emails. In addition, Ryuk attackers often conduct targeted phishing campaigns aiming at people with access to enterprise-level software or systems. They email victims with innocuous letters that have malicious links attached. Although the attachment may look like a Word document, it launches a Trojan malware (such as Trickbot or Emotet) when opened.

Read Also:Ransomware makes headlines almost daily. Important methods hackers use to infect you with ransomware to keep in mind.

Algorithm of Action

However, this initial malware is not ransomware. Instead, it is a tool that allows an attacker to take command and control of your machine so that they can later deploy a payload of ransomware. So, once the victim’s network is compromised, the attackers decide whether, in their opinion, it is worthwhile to further investigate and penetrate the network or not. If the attack is deemed lucrative enough and a large amount of money can be demanded as ransom, they will deploy the Ryuk ransomware. Once deep in the system, hackers stealthily collect administrator credentials and identify domain controllers. This allows a possible Ryuk ransomware to strike as hard as possible, providing maximum attack surface when the ransomware payload is finally released. Ryuk then encrypts computer files, data, and system access, making it impossible to retrieve information or access programs. It also disrupts the Windows system recovery function, forcing victims to choose between losing data or paying a ransom. This attack is so sudden and devastating that, in most cases, the victim prefers to expend, making this one of the most significant computer threats in recent memory. With Ryuk being a human-driven attack, the crooks behind it use manual hacking techniques to gain access and spread the pest across networks. This attack chain pattern was observed in 2018, 2019, and 2020.

Studies of recent attacks show that the Ryuk ransomware has evolved and can now spread without human involvement, which is more typical for a worm rather than a computer virus. However, the initial data leak is associated with classic social engineering techniques such as phishing, spam, and spoofing.

Ryuk Encryption Routine

Once deployed, Ryuk encrypts all files except those with .dll, .lnk, .hrms, .login, .ini, and .exe extensions. However, it skips files stored in Windows System32, Chrome, Mozilla, Internet Explorer and Recycle Bin directories. These exclusion rules are probably made to keep the system stable and allow the victim to use the browser to make payments.

Ryuk uses strong AES-256-based file encryption. The encrypted files receive a different extension: .ryk. The AES keys are encrypted with a pair of RSA-4096 public and private keys, which are controlled by attackers. Generally, the whole process is a bit more complicated and involves several keys which are encrypted with other keys. As a result, each Ryuk executable is explicitly created for each particular victim, even if employed in several systems, using the generated private key for that individual victim. Thus, even if the RSA private key associated with one victim is revealed and published, it cannot decrypt files belonging to other victims.

Currently, no publicly available tools can decrypt Ryuk files without the ransom paid, and researchers warn that even the decryption tool provided to victims by Ryuk attackers can sometimes corrupt files. This usually happens with large files, where Ryuk intentionally performs only partial encryption to save time. Also, some system files and directories that are whitelisted can still be encrypted by Ryuk, which sometimes results in the inability to boot the system after restarting it. All of these problems can make recovery more difficult and increase costs to victims due to Ryuk attacks. Like most ransomware, Ryuk attempts to delete shadow copies of volumes to prevent data recovery by alternative means. It also contains a kill.bat script that disables various services, including network backup and Windows Defender antivirus.

Examples of Ryuk Ransomware Attacks

Ryuk ransomware attacks follow a similar pattern. Large public or private organizations are targeted, and the hackers launch raid-like offenses. Ryuk attacks have targeted organizations in the United States, the United Kingdom, Germany, Spain, France, and Australia. In early 2021, an analysis of bitcoin transactions from known Ryuk addresses revealed that Ryuk hackers fraudulently obtained more than $150 million in ransomware. The most notable Ryuk ransomware attacks have hit municipalities, school systems, technology and energy companies, and hospitals. Here are the most famous attacks:

• October 2018: Ryuk attacked major Onslow Water and Sewer Authority (OWASA) organizations, disrupting their network.
• December 2018: Tribune Publishing was attacked, affecting its clients like the Los Angeles Times.
• 2019-2020: Ryuk targeted some hospitals in California, New York, and Oregon. It also targeted British and German medical facilities, causing problems accessing patient records and affecting critical care.

Over a dozen hospitals were affected by ransomware attacks in late 2020. In June 2019, Lake City, Florida, paid a $460,000 ransom after an employee had opened an infected email.

How to Remove Ryuk Ransomware?

Because of Ryuk’s complexity, only experienced IT teams should remove it. However, your files will still be encrypted even after Ryuk is removed from your network since only the attackers have the keys to restore assets. You can remove Ryuk in safe mode or through system restore. However, the focus should be on preventing such attacks before losing access to critical assets. Every employee should keep a close eye out for phishing emails. Don’t click on any suspicious content in your inbox.

Most importantly, organizations should establish the proper cybersecurity protocol, strategy, and training program. An AI-based endpoint protection platform that detects and prevents threats is essential to protect your enterprise from attacks. Advanced cybersecurity software can rank and triage threats based on in-depth knowledge of your environment and can conduct thorough investigations to recognize ever-evolving malware.

Related Content: In most cases, Ransom:Win64/Ryuk.A ransomware will certainly instruct its targets to initiate a funds transfer to counter the changes that the Trojan infection actually made to the target’s tool.

Protecting Against Ryuk

While organizations can apply specific technical controls to reduce the likelihood of Ryuk infections, defending against ransomware attacks managed by people generally requires correcting some misconduct among workgroup administrators.

“Some of the most successful human-driven ransomware campaigns have targeted servers that have deliberately disabled antivirus software and other security controls that administrators can do to improve performance,” Microsoft said. “Many of the observed attacks use malware and tools that are already recognized by antivirus programs. The same servers often lack firewall and MFA protection, have weak domain credentials, and use non-random local administrator passwords. Often these protections are intentionally disabled because there is a concern that security controls may negatively impact performance. IT-team can help determine the true impact of these settings and work with security teams to mitigate the effect. Attackers use settings and configurations that IT administrators manage and monitor.

Security services also need to take what appear to be rare infections or common malware more seriously. As Ryuk shows, common threats like Emotet and TrickBot rarely appear on their own and can be a lousy wake-up call for much more severe problems. Simply removing common malware from a system without further investigation can lead to disastrous consequences weeks or months later.

“Infections with commodity malware such as Emotet, Dridex, and Trickbot must be removed and treated as a potential complete compromise of the system, including any credentials present,” Microsoft warned.

Addressing the infrastructure weaknesses that allowed malware to get in and spread is just as critical as protecting the network from lateral movement by maintaining proper credential hygiene and providing access with minimal privileges. In addition, limiting unnecessary SMB (Server Message Block) traffic between endpoints and restricting the use of administrator credentials can positively impact network resilience against human-led attack campaigns.

The post Ryuk – Devastatingly Effective Targeted Ransomware appeared first on Gridinsoft Blog.