MedusaLocker Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/medusalocker/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 05 Jan 2024 04:36:19 +0000 en-US hourly 1 https://wordpress.org/?v=87141 200474804 Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR https://gridinsoft.com/blogs/ransomware-attacks-increasingly-using-aukill-malware-to-disable-edr/ https://gridinsoft.com/blogs/ransomware-attacks-increasingly-using-aukill-malware-to-disable-edr/#respond Sun, 07 May 2023 19:35:20 +0000 https://gridinsoft.com/blogs/?p=14450 A new cybercrime tool called “AuKill” has emerged, which attackers use to disable endpoint detection and response (EDR) defenses used by enterprises before deploying ransomware. AuKill malware uses malicious device drivers to infiltrate systems. Recently, researchers from Sophos discovered an attacker using AuKill before deploying Medusa Locker ransomware and another attacker using it on an… Continue reading Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR

The post Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR appeared first on Gridinsoft Blog.

]]>
A new cybercrime tool called “AuKill” has emerged, which attackers use to disable endpoint detection and response (EDR) defenses used by enterprises before deploying ransomware.

AuKill malware uses malicious device drivers to infiltrate systems. Recently, researchers from Sophos discovered an attacker using AuKill before deploying Medusa Locker ransomware and another attacker using it on an already compromised system before installing the LockBit ransomware. The trend is a response to the growing effectiveness of EDR tools, which provide security vendors with a significant advantage in spotting attacks. Threat actors are targeting the tools, causing them the most trouble.

AuKill drops a driver named PROCEXP.SYS from release version 16.32 of Process Explorer into the exact location as the legitimate version of the Process Explorer driver (PROCEXP152.sys). Once on a system, the tool abuses the legitimate driver to execute instructions to shut down EDR and other security controls on the compromised computer. Sophos has analyzed six different versions of AuKill and noticed some substantial changes with each new version. Newer versions now target more EDR processes and services for termination.

The maliciously installed Process Explorer driver, highlighted in red, in the Drivers folder alongside the legitimate Process Explorer driver, proxexp152.sys
The maliciously installed Process Explorer driver, highlighted in red, in the Drivers folder alongside the legitimate Process Explorer driver, proxexp152.sys
AuKill has distributed multiple types of ransomware, including Medusa Locker and LockBit, since the beginning of 2023. Researchers have discovered six different variations of the malware thus far, with the earliest one having a timestamp indicating it was compiled in November of 2022.

Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR

These attacks are similar to a series of incidents reported by Sophos, Microsoft, Mandiant, and SentinelOne in December. In those attacks, threat actors used custom-built drivers to disable security products on already compromised systems, leaving them open to other exploits. Like other drivers, the vulnerable Process Explorer driver that AuKill leverages has privileged access to installed systems and can interact with and terminate running processes.

The post Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ransomware-attacks-increasingly-using-aukill-malware-to-disable-edr/feed/ 0 14450
20 Dangerous Types of Cybersecurity Threats https://gridinsoft.com/blogs/dangerous-types-of-cybersecurity-threats/ https://gridinsoft.com/blogs/dangerous-types-of-cybersecurity-threats/#respond Wed, 27 Apr 2022 19:09:52 +0000 https://gridinsoft.com/blogs/?p=7586 The cybersecurity threats in this year are more considerable than ever. Due to the emergence of efficient ransomware, coin miners, spyware, and so on, hacking has become a consistently profitable business. Knowing about cybersecurity threats is crucial because it livens up the safety measures. In addition, when you’re aware of what is up against you… Continue reading 20 Dangerous Types of Cybersecurity Threats

The post 20 Dangerous Types of Cybersecurity Threats appeared first on Gridinsoft Blog.

]]>
The cybersecurity threats in this year are more considerable than ever. Due to the emergence of efficient ransomware, coin miners, spyware, and so on, hacking has become a consistently profitable business.

Knowing about cybersecurity threats is crucial because it livens up the safety measures. In addition, when you’re aware of what is up against you on the Internet, you understand the meaning of cybersecurity.

The following article is not a list of cybersecurity threats in a strictly scientific sense. Instead, we have gathered some of the trending phenomena from modern cyber-warfare (some of them are threats indeed) to present them in the form of an explanatory dictionary.

 

#1. Hacking Attacks

Any activity toward getting unauthorized access to and control over computers, data storage, online servers, websites, etc., is called “hacking”. The term is old, and hacking computer systems does not necessarily imply going online, although it mostly happens on the Internet nowadays.

Hacking cybersecurity threats may involve malicious software (malware1) but not necessarily, since social engineering, i.e., trespassing digital security by deception, using human and not computer vulnerabilities, can be seen as a form of hacking.

Hacking started as idle entertainment but evolved into a lucrative cybercriminal industry. Counteracting potential crooks and developing anti-malware software is now an indispensable element of modern computer technology.

#2. Malware Attacks

“Malware” is a portmanteau for malicious software. There are different ways to classify unwanted programs. Some security specialists distinguish between software that does actual harm and annoying applications that can be easily detected and removed from a device by a standard procedure. Other experts consider unwanted programs and malware synonyms.

NOTE: Malware attacks – are a big threat to users from all over the world. It is very important to know the principles, and the main characteristics of each, to understand how to resist.

Harmful software can itself be classified according to different criteria. For example, Malware may be a file or non-file entity executed via scripts when no code is saved on the targeted device.

Malware files can be the ones that trespass the defenses of the victim system, or they can be downloaded later by the former. As for the infectious agents, these can be viruses, worms, or Trojans. Other types might emerge too, but these three are the most widespread. Besides, viruses 2, which gave malware its first collective name, are obsolete nowadays. But do you know the difference between malware and virus?

The functions of malware are immense. It can collect data, destroy or tamper with it, flood users with unwanted advertising, etc. However, the vilest malware these days is arguably ransomware.

Trojan Horse (Cybersecurity Threat)

Trojan horse, or just Trojan3 is a term that describes the way malware ends up on the victim’s device. It is incorrect to say “Trojan virus,” as Trojans are essentially not computer viruses; the latter are self-replicating pieces of code. Trojans, unlike that, are shaped as “normal” files, and they do not clone themselves. What is specific about them is that users install Trojans themselves, mistaking them for what this malware tries to seem. This disguising is what gave Trojans their name (remember Odyssey’s clever way to get beyond the walls of Troy.)

When the Trojan is already “behind the enemy lines,” it can execute one of many possible functions. It can either deliver its malicious payload or download additional malware, and one doesn’t exclude the other.

NOTE: Over the past three years, Trojan viruses have changed significantly, there are many dangerous variants. Therefore, it is recommended to use a separate antivirus, such as Gridinsoft Anti-malware.

#3. Ransomware Attacks

Ransomware4 are a kind of malware that encrypts data on the victim’s device. It provides instructions on how to pay ransom in cryptocurrency to the crooks, who promise to deliver a decryption key to the injured side in return.

Trojans usually deliver ransomware. Victims often catch this infection from email attachments, malicious links in messages, or unchecked downloads from dangerous websites. Ransomware encodes data files, such as text documents, images, and videos, after which all the encrypted files get an additional extension to their names. As a result, the user cannot read the files until they are decrypted.

Ransomware attacks have become a functioning business model for crooks within the last several years. State governments have started a real war on ransomware. The US authorities have started shutting down black markets where hackers have been selling ransomware as a service.

MedusaLocker Ransomware

MedusaLocker is classic ransomware with one mean peculiarity. Unlike the majority of ransomware operators, who would love to have the publicity of “trustworthy thieves,” racketeers behind MedusaLocker don’t give the decryption key to the victims, who pay ransom to them. Jeopardizing the whole business scheme, MedusaLocker developers are another illustration of the advice not to negotiate with the terrorist.

#4. Formjacking Cybersecurity Threat

A modern way of stealing money is to get a copy of the credit card details an unaware user inputs in a payment form, let us say, at an online shop. As the shopper confirms the credit card details, a copy of the entered data immediately goes right to the crooks. This vile procedure requires injecting a malicious JavaScript code into the third party’s payment form, usually not the website itself. Hackers can use the same technique to steal logins and passwords with the subsequent identity theft.

#5. Password Attacks

Password attacks are the sum of measures hackers may undertake to pick a password to a password-protected account or device, considering that they do not have that password and do not have any software to obtain it precisely. Therefore, password attacks are attempts to guess the password using computer powers to do it as fast as possible. The most “fair” method is a brute force attack when the machine bluntly tries all possible password variants until it guesses it.

NOTE: Password thieves or PWS are a specific type of malware that tries to get your passwords and other credentials. Once the system is changed, the password thief virus is ready to do its job.

A strong password might take thousands of years to break. But, of course, it is not about trying every value without any relation to what is being hacked. For example, There are usually sets of words and numbers that are more likely to be the correct password in every particular case. That is what the machine does: it realistically varies the entered values.

#6. Cryptojacking Malware

Since cryptocurrency strengthened its position in the world economy, hackers have been developing ways to benefit from other people’s resources. Bitcoins and other tokens are produced via mining – solving the cryptographic problems by the obtaining machine. Thus, criminals sought to enslave as many computers on the Web as possible for their remote mining farms. They found different methods for crypto-jacking (that’s what this process is called.)

The two most common ways to exploit remote machines for cryptocurrency mining are infecting them with so-called coin miners (mostly Trojans) or making them run coin-mining scripts. Precaution measures against these cybersecurity threats are known and familiar – be careful around questionable email attachments and links.

#7. Man-in-the-middle attack (MITM)

Spoofing a wi-fi networkname allows crooks to lure their victims into a network fitted with data-collecting software or even hardware. The user’s incoming and outbound traffic gets into the crooks’ possession. This spying scheme is called man-in-the-middle. It can equally serve criminals to attack a specific target or conduct identity theft of random persons, unlucky to fall into their trap.

IMPORTANT FACT: A public Wi-Fi network can be considered insecure for several reasons, which can further compromise your device and data. It is very important to learn how to use public Wi-Fi safely: risks to watch out for.

#8. Cloud Vulnerabilities

Users consider cloud storage an excellent and convenient place to keep their data and have their hard drives back up there. That is true! But is the cloud safe? People seldom care about cloud data security because they do not expect anyone to hunt for their information. However, any company with competitors or an influential person should know that there are vulnerabilities in cloud services.

Some of them are trivial, like the absence of two-factor authentication, which can allow someone to get someone to benefit from a logged-in machine. Others involve commands written in inner script languages of the cloud services, DDoS attacks, compromising APIs, and other vulnerabilities that raise questions about the security of cloud services.

#9. Botnet Cybersecurity Threat

A botnet5 is a network of compromised computers that act in concert to perform various possible actions. Each botnet host is a computer with specialized software installed and running on it, usually unbeknownst to the user. Regardless of what the botnet does, the botnets, in general, are mostly vile. These networks are used for posting commentaries on social media, creating DDoS attacks, mining cryptocurrency, distributing malware, etc.

#10. Denial of Service (Dos) Attack

Denial of service Dos attack happens to a resource that is supposed to provide said service but gets overloaded by the enormous number of requests or receives crafted data that triggers the crash. This type of attack is usually undertaken against websites of business competitors, political opponents, ideological enemies, or other states’ critical resources by the cybersecurity threats from the opposing countries.

If a DoS assault involves multiple attackers (real people or a botnet), it is called distributed denial of service (DDoS.) An international hacktivist group Anonymous is well known for its capacity for quick organization of massive DDoS attacks. However, the usage of VPNs and onion routing makes tracking of attackers virtually impossible.

#11. Spam Cybersecurity Threat

Spam is a well-known practice of throwing unwanted and unneeded advertising at random users. However, if earlier spam was a type of advertising and fraud, the hackers later caught on and started using spam to spread malware. The combination of spam and malware distribution is called malspam. The difference between malspam and hacking attacks involving email is that the former is a wild distribution of dangerous attachments in random mailing sprees.

#12. Phishing Attack

Phishing is a hacking technique that does not necessarily involve malware at all! The attack’s name comes from the word “fishing,” with letters changed to distinguish it from real fishing. But the point is similar. Hackers use social engineering, in other words – skillful deception, to make victims think that people who address them are some trustworthy company or person. But it is very important not to confuse the difference between phishing and pharming!

NOTE: Phishing is a type of cyber attack that is carried out using various technologies. There are many dangerous types of phishing attacks to watch out for.

After such a connection is established, criminals lure unaware users into providing their credentials (login, password, credit card details, etc.) Without knowing the real identity of the asker, victims can bear considerable losses up to identity theft. Therefore, education and vigilance are the best countermeasures to such attacks.

#13. Spoofing Cybersecurity Threats

Spoofing is undividable from phishing. For example, imagine someone who impersonates a police officer to make you lend him your car. That person says there is phishing, while his fake uniform and the policeman’s badge are spoofing. Likewise, email letterhead, email address, web page appearance, website address, wi-fi network name, browser shortcut and interface, and whatnot can be an object of spoofing.

Experienced users are likely to distinguish a genuine webpage from a spoofed one. There are also basic rules of Internet communication that can safeguard users from buying into deceptive baits. However, the problem is that phishing generally targets inexperienced users.

#14. SQL Injection (SQLi) Cybersecurity Threats

SQL code injection is one of the common ways of hacking websites and data-driven software. It exploits software vulnerabilities that allow a specially crafted piece of SQL code to override the intended principles of the program and grant hackers access to the data from a database to which they don’t have legal access.

The vulnerability emerges because the flaws in programming may result in SQL requests being read and executed as commands out of correct context in certain conditions. Knowing these conditions and how to exploit them makes SQL injection attack possible.

#15. Rootkit Malware Attack

Rootkits are the programs that perfectly fit the definition and popular idea of a hacking tool. Rootkits are strongly associated with malware. Cybercriminals use them to reach the data closed for the user with the current level of access. As the tool’s name reveals, it aims to provide its user with access to the very core of the system, its root.

This kind of software grants evil-doers a broad scope of opportunities: collecting information from the system, controlling the system, and masking the objects within it. Modern security software automatically clears the known rootkits attack, but it will be a problem for an average user to detect and delete.

#16. Advanced Persistent Threat (APT)

Nation-state threat actors gaining unauthorized access to computer systems and remaining undetected for a long time are designated as advanced persistent cybersecurity threats. APTs are among the most disturbing menaces in the modern digital world because they target countries’ vital industries like banks, electronic election systems, electric energy supply, etc. Moreover, being legalized in their own countries, nation-state threat actors are well-equipped, and they aim to harm , not make money like the ransomware operators. That radically distinguishes APTs from the other threats.

#17. Backdoor Attacks

A backdoor is a way of bypassing standard authentication or encryption processes in a device or a program. The item’s name in question speaks for itself; it is a vulnerability of a program, but it is left there on purpose. It allows hackers (who are, in the case of a backdoor, the very developers of the software containing it) to get quick and free access to data or even control over the system.

FROM THE LATEST NEWS: Shuckworm hackers are attacking Ukrainian organizations with a new variant of the Pteredo backdoor. According to experts, the group carried out more than 5 thousand cyberattacks on 1.5 thousand public and private enterprises in the country.

A backdoor is not necessarily a hacking instrument; it might be a tool for emergency troubleshooting. However, hackers use backdoors introduced via seemingly ordinary applications (in fact – Trojans) to fetch additional malware beyond the security perimeter of the operating system. Luckily, backdoors are recognizable, and anti-malware systems manage to detect them.

#18. Darknet Cybersecurity Threats

Darknet is not a cybersecurity threat, but it sounds menacing. However, it would be false to say that the darknet has no relation to cybersecurity threats. It is more of a place where designers and users of malware meet and communicate. Darknet is an anonymous overlay peer-to-peer file-sharing network (existing within the Internet) wherein connections are only established between trusted peers and via non-standard ports and protocols. Access to the darknet is only possible via special software, like Tor Browser. While the dark web is associated with illegal activity, accessing and browsing the dark web is legal. We recommend interesting useful tips for the darknet from Gridinsoft.

Darknet is associated with black markets, cybercrime, and terrorism, well-protected privacy, freedom of thought, and liberty from governmental control. Beware of these dangerous cybersecurity threats!

The post 20 Dangerous Types of Cybersecurity Threats appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/dangerous-types-of-cybersecurity-threats/feed/ 0 7586