BlackCat Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/blackcat/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 01 Apr 2024 19:29:11 +0000 en-US hourly 1 https://wordpress.org/?v=72710 200474804 UnitedHealth Hack Leaks 6 TB of User Data https://gridinsoft.com/blogs/unitedhealth-hack-6tb-data-leak/ https://gridinsoft.com/blogs/unitedhealth-hack-6tb-data-leak/#respond Mon, 01 Apr 2024 19:29:11 +0000 https://gridinsoft.com/blogs/?p=20906 UnitedHealth Group, one of the largest providers of health insurance and health care services in the United States, suffered a cyberattack with the following data breach. The company admitted that the personal data of millions of patients was “stolen” in a cyberattack. This incident is already being called one of the largest in healthcare history.… Continue reading UnitedHealth Hack Leaks 6 TB of User Data

The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

]]>
UnitedHealth Group, one of the largest providers of health insurance and health care services in the United States, suffered a cyberattack with the following data breach. The company admitted that the personal data of millions of patients was “stolen” in a cyberattack. This incident is already being called one of the largest in healthcare history. Total volume of data that hackers managed to leak is estimated at 6 terabytes.

UnitedHealth Hacked, Department Leaks Huge Amounts of Data

In February 2024, UnitedHealth Group experienced a massive cyberattack that compromised the data security of Change Healthcare. This division of the corporation processes medical claims and payments. As a result, systems responsible for processing prescriptions, medical claims and electronic payments were affected. This caused major problems for healthcare providers, pharmacies and payment systems across the country.

Application of UnitedHealth
Application on the company’s website

UnitedHealth Group responded quickly to the incident. They announced their intention to work with law enforcement to investigate the attack and strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services as a compensation.

On Wednesday, UnitedHealth Group announced that it has made significant progress in restoring various core systems that were hit in the attack. It in particular caused an outage during the company’s response and impacted more than 100 Change Healthcare IT products and services.

Government Response

Size of UnitedHealth and its importance for the national healthcare industry could not keep the government silent. The U.S. Department of Health and Human Services has opened an investigation into the incident for a violation of the Health Information Protection and Accountability Act (HIPAA). The investigation is aimed at determining whether a breach of patient protection occurred. It also seeks to ascertain whether the relevant legal requirements for confidentiality of information were met.

U.S. Department Reward
U.S. Department of State Announces Reward

UnitedHealth Group’s response was quick. They announced their intention to work with law enforcement to investigate the attack. Additionally, they vowed to strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services.

BlackCat/ALPHV Claims Responsibility

ALPHV/BlackCat ransomware gang claimed responsibility for this attack earlier this year. Hackers announced that it was able to expropriate 6 terabytes of “highly selective data” regarding Change Healthcare customers. This information covers a wide range of data, including Tricare, Medicare, CVS Caremark, MetLife, and other large companies. It highlights the potential scale of the damage.

BlackCat reveals details
ALPHV/BlackCat reveals details of attack on UnitedHealth

According to their story, UnitedHealth Group paid a $22 million ransom for a decryption key and a promise not to distribute the stolen data. This is a forced measure where the company is forced to pay huge sums to regain access to its own data and prevent further dissemination of stolen information. However, questions remain open as to whether BlackCat actually held the full ransom amount as claimed. Additionally, there are concerns about what assurances there are that the data will not be distributed or used in the future.

At the end of 2023, BlackCat’s infrastructure was seized in a coordinated law enforcement action. This severely disrupted the group’s operations for a period. Though as you can see BlackCat’s continued operations in defiance of law enforcement efforts. Disruption definitely slowed them down, but did not stop the operation entirely.

What stopped though is an exit scam, that group admins managed to pull in early March 2024. Hackers defrauded their partners, quitting the business with all the money of their affiliates. The said UnitedHealth subdivision appears to be one of their last targets – at least under this name. I expect them to resurface in this form or another.

UnitedHealth Hack Leaks 6 TB of User Data

The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/unitedhealth-hack-6tb-data-leak/feed/ 0 20906
Octo Tempest Threat Actor – The Most Dangerous Cybercrime Gang? https://gridinsoft.com/blogs/octo-tempest-threat-actor/ https://gridinsoft.com/blogs/octo-tempest-threat-actor/#respond Mon, 30 Oct 2023 17:49:58 +0000 https://gridinsoft.com/blogs/?p=17386 Octo Tempest, a financially-motivated hacking group, has been labeled “one of the most dangerous financial criminal groups” by Microsoft. Known as UNC3944 and 0ktapus, the group has gained attention for bold cyber attacks. What is Octo Tempest Cybercrime Gang? Octo Tempest’s journey into the world of cybercrime is an intriguing one. Only a few months… Continue reading Octo Tempest Threat Actor – The Most Dangerous Cybercrime Gang?

The post Octo Tempest Threat Actor – The Most Dangerous Cybercrime Gang? appeared first on Gridinsoft Blog.

]]>
Octo Tempest, a financially-motivated hacking group, has been labeled “one of the most dangerous financial criminal groups” by Microsoft. Known as UNC3944 and 0ktapus, the group has gained attention for bold cyber attacks.

What is Octo Tempest Cybercrime Gang?

Octo Tempest’s journey into the world of cybercrime is an intriguing one. Only a few months ago, it became the first English-speaking affiliate of the BlackCat ransomware gang. This collaboration marks a rare occurrence in the cybercriminal ecosystem, as historically, Eastern European ransomware groups have been reluctant to do business with native English-speaking criminals.

Octo Tempest’s modus operandi is characterized by well-organized and prolific attacks, reflecting a depth of technical expertise and the involvement of multiple operators with hands-on-keyboard skills. The group first appeared on the radar in early 2022, initially targeting mobile telecommunications and business process outsourcing organizations for SIM swaps. Notably, their activities were traced to ransomware attacks against Las Vegas casinos in September of the same year.

Evolving of Octo Tempest

However, their ambitions did not stop there. In 2022, Octo Tempest orchestrated a large-scale campaign that compromised over 130 organizations, including prominent names like Twilio and Mailchimp, highlighting the group’s capacity to wreak havoc on a grand scale.

Collaboration with BlackCat and Ransomware Deployment

A significant turning point in Octo Tempest’s cybercriminal career was its collaboration with BlackCat, also known as ALPHV. The group began deploying ransomware payloads developed by BlackCat, extending their focus to both Windows and Linux systems. More recently, Octo Tempest has directed its efforts towards VMWare ESXi servers.

Octo Tempest remains financially motivated, with diverse monetization techniques. Their activities span from cryptocurrency theft to data exfiltration for extortion and ransomware deployment.

Octo Tempest Methods of Initial Access

Octo Tempest employs a range of methods for gaining initial access, including:

  • Installing remote monitoring and management utilities.
  • Navigating to fake login portals using an adversary-in-the-middle toolkit.
  • Purchasing stolen employee credentials or session tokens on the dark web.
  • Conducting SMS phishing campaigns targeting employee phone numbers with links to fake login portals.
  • Leveraging SIM swaps or call forwarding on an employee’s phone number.
  • Initiating a self-service password reset once control of the employee’s phone number is established.
  • Fear-Mongering Tactics and Reconnaissance.

In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls, texts, and even physical threats to coerce victims into sharing their credentials for corporate access.

Upon gaining initial access, the group proceeds with a meticulous reconnaissance process. It includes enumerating hosts and services, collecting information, and identifying documents related to network architecture, employee onboarding, remote access methods, password policies, and credential vaults. Their access to internal networks allows them to carry out broad searches across knowledge repositories to gather intelligence about the target’s infrastructure.

Defending Against Octo Tempest

Detecting and defending against Octo Tempest is no easy task due to their use of social engineering, living-off-the-land techniques, and a diverse toolkit. However, cybersecurity experts offer guidelines to help organizations detect and combat this rising cyber threat.

  • Monitoring and reviewing identity-related processes, Azure environments, and endpoints are crucial steps in bolstering defenses against Octo Tempest.
  • Educate yourself and your employees about social engineering and phishing tactics commonly used by Octo Tempest. Regular training on recognizing suspicious emails and links can help prevent successful attacks.
  • Keep your operating systems, software, and applications up to date with the latest security patches. Cybercriminals often exploit known vulnerabilities in outdated software.
  • Use a firewall to monitor and filter incoming and outgoing network traffic. Intrusion detection and prevention systems (IDPS) can also help detect suspicious activities.
  • Regularly back up your data, both on-site and off-site. In the event of a ransomware attack, having clean, uninfected backups can save your data.
  • Stay informed about emerging threats and vulnerabilities by monitoring cybersecurity news and threat intelligence feeds. This can help you adapt your defenses to evolving threats.

Octo Tempest Threat Actor – The Most Dangerous Cybercrime Gang?

The post Octo Tempest Threat Actor – The Most Dangerous Cybercrime Gang? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/octo-tempest-threat-actor/feed/ 0 17386
BlackCat Ransomware Employs Malvertising In Targeted Attacks https://gridinsoft.com/blogs/blackcat-ransomware-malvertising-targeted-attacks/ https://gridinsoft.com/blogs/blackcat-ransomware-malvertising-targeted-attacks/#respond Mon, 03 Jul 2023 19:57:30 +0000 https://gridinsoft.com/blogs/?p=15639 Recently malicious actors started using malvertising to spread BlackCat ransomware. They use cloned webpages of popular freeware applications, particularly WinSCP utility. Such downloads result in an infection chain, that consists of a dropper, a backdoor, and, finally, the ransomware. Operators Distributing Ransomware Disguised as WinSCP Researchers acknowledged that BlackCat operators were using malicious ads to… Continue reading BlackCat Ransomware Employs Malvertising In Targeted Attacks

The post BlackCat Ransomware Employs Malvertising In Targeted Attacks appeared first on Gridinsoft Blog.

]]>
Recently malicious actors started using malvertising to spread BlackCat ransomware. They use cloned webpages of popular freeware applications, particularly WinSCP utility. Such downloads result in an infection chain, that consists of a dropper, a backdoor, and, finally, the ransomware.

Operators Distributing Ransomware Disguised as WinSCP

Researchers acknowledged that BlackCat operators were using malicious ads to distribute fraudulent WinSCP file transfer application installers. In this case, the distribution involved a Web page for the well-known WinSCP application, an open-source Windows file transfer application. In a nutshell, attackers use SEO poisoning to spread malware through online advertisements. They hijack a select set of keywords to display phishing site ads on Bing and Google search results pages. These ads redirect unsuspecting users to a phishing copy of the original web page.

Screenshot of fake web page
Fake web page

Thus, scammers try to make users download the malware masked as a legitimate app. However, the victim gets a backdoor containing a Cobalt Strike beacon instead of a legitimate WinSCP app. The backdoor, in turn, connects to a remote server for subsequent operations. It also uses legitimate tools like AdFind to facilitate network discovery. Attackers use the access granted by Cobalt Strike to download programs to perform reconnaissance, tallying, lateral movement, antivirus software circumvention, and data exfiltration. That tactic is aimed at infecting corporate users – a pretty unique approach when it comes to ransomware spreading methods.

According to the researchers, the attackers managed to steal top-level administrator privileges, which allowed them to perform post-exploitation actions. In addition, they tried to set up persistence with remote management tools such as AnyDesk and gain access to backup servers. Unfortunately, this is not an isolated case but rather a trend. We’ve already told you how attackers use the Google Ads platform to spread malware.

What Is BlackCat Ransomware?

BlackCat is a dangerous malware strain that emerged in November 2021. It is operated by a Russian-speaking cybercrime group called ALPHV. It is the first significant malware written in the Rust programming language and can attack Windows and Linux systems. BlackCat uses a triple-extortion tactic in its ransomware campaigns, targeting various industries, including finance, manufacturing, and legal services. It has compromised around 200 enterprise organizations between November 2021 and September 2022 and is related to other ransomware variants such as BlackMatter and DarkSide.

BlackCat Ransom Note screenshot
BlackCat Ransom Note

BlackCat gang is known for being pretty radical when it comes to data leaks. Once the company they’ve attacked refuses to pay, hackers open access to all the extracted data. And contrary to other ransomware gangs, ALPHV/BlackCat does this on the clear web website. In the past year, they exposed a huge number of people by publishing data extracted from Allison Resort and University of Pisa.

General recommendations

As for organization-level protection, there’s a whole set of recommendations that organizations that care about security for themselves and their customers take for granted. A detailed understanding of attack scenarios enables organizations to identify vulnerabilities that can lead to compromise and critical damage and take the necessary steps to prevent them. However, what about individual users? Here we recommend following these simple but effective tips:

  • Be extremely careful when searching for and downloading necessary programs from the Internet.
  • Do not click on advertising links on the search page.
  • Use ad blockers
  • Use a trusted antimalware program

Following these rules will minimize the chances of compromising personal computers and workstations, or corporate devices.

BlackCat Ransomware Employs Malvertising In Targeted Attacks

The post BlackCat Ransomware Employs Malvertising In Targeted Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-ransomware-malvertising-targeted-attacks/feed/ 0 15639
BlackCat Ransomware New Update Boosts Exfiltration Speed https://gridinsoft.com/blogs/blackcat-ransomware-new-update/ https://gridinsoft.com/blogs/blackcat-ransomware-new-update/#respond Thu, 08 Jun 2023 10:39:59 +0000 https://gridinsoft.com/blogs/?p=15132 BlackCat ransomware continues to make a fuss globally for the second year now, targeting various sectors. Most of the time, it goes to healthcare, government, education, manufacturing, and hospitality. The group constantly improves operations, automating data exfiltration and releasing new ransomware versions with upgraded capabilities. What is BlackCat Ransomware? The cybercriminals use ALPHV (BlackCat), a… Continue reading BlackCat Ransomware New Update Boosts Exfiltration Speed

The post BlackCat Ransomware New Update Boosts Exfiltration Speed appeared first on Gridinsoft Blog.

]]>
BlackCat ransomware continues to make a fuss globally for the second year now, targeting various sectors. Most of the time, it goes to healthcare, government, education, manufacturing, and hospitality. The group constantly improves operations, automating data exfiltration and releasing new ransomware versions with upgraded capabilities.

What is BlackCat Ransomware?

The cybercriminals use ALPHV (BlackCat), a sophisticated ransomware-type program written in the Rust programming language, for their operations. It is distributed as Ransomware-as-a-Service (RaaS) model, encrypts data by locking files, and actively demands payment for decryption. In most cases, the malicious actors responsible for this type of malware rename the encrypted files by appending them with specific extensions. Since the software is distributed as a service, the name of the blocked file extensions depends on the current attackers.

Screenshot with a ransom note
Example of a BlackCat ransom note

Though, these details are quite trivial for any successful modern ransomware group. More interesting details about BlackCat include their unique approach towards spreading methods and rough behavior when it comes to data publication. The latter, actually, is done on a clear web site, instead of a more regular Darknet page. Moreover, these hackers were among the first who used so-called triple extortion – asking additional money to keep the attack fact in secret.

BlackCat’s level up

BlackCat gained notoriety almost immediately after its launch in November 2021. It was regularly at the top of the most active ransomware groups and was associated with the now-defunct BlackMatter. /DarkSide ransomware. In addition, in 2022 BlackCat switched to the Rust programming language. This gave the customization provided by this language and the ability to bypass malware detection and analysis. However, even after a year and a half, there is no hint that BlackCat’s career is nearing its end.

Over the last six months, BlackCat has been constantly improving its tools. They have abused the functionality of Group Policy Objects to deploy tools and interfere with security measures. For example, attackers may try to increase the speed of their operations by changing the default Group Policy update time, thereby shortening the time between the changes taking effect and the defenders being able to react.

Screenshot of BlackCat leak site
Screenshot of the BlackCat leak site

In addition, BlackCat ransomware operators are deploying a double extortion scheme, using tools for both data encryption and theft. One tool, ExMatter, was used to exfiltrate multiple terabytes of data from victims to the attackers’ infrastructure. One BlackCat affiliate exclusively uses this tool, tracked by Microsoft as DEV-0504. The attackers frequently post stolen data publicly on their official leak site. They are doing that for one reason – to pressure their extortion victims.

New version of BlackCat

A new version of BlackCat, called Sphynx, was also observed by IBM X-Force. It was announced in February 2023 and has updated capabilities that make it harder to detect. Sphynx differs significantly from previous variants. For example, reworking the command line arguments and using raw structures instead of JSON formatting for configuration data. This makes it harder to detect and analyze the ransomware. The BlackCat group has stated that it was a global update and it was done to optimize detection by AV/EDR. In short, the BlackCat Sphynx Loader is an obfuscated loader that decrypts strings and payloads upon execution. It conducts network discovery activities and creates a ransom note in encrypted files. The BlackCat ransomware sample may also function as a toolkit based on tools from Impacket.

How does it work?

Initial access and privilege escalation

Researchers tend to believe that attackers used valid credentials obtained through Raccoon and Vidar stealers in the earliest stages. After successfully penetrating a network, attackers use PowerShell and the command line to gather information. In particular, they are interested in information about user accounts, domain computers, and permissions. As a result, they use the PowerShell code associated with “PowerSploit” to obtain domain administrator credentials.

Initial access and privilege escalation
Detection malicious file exfiltration tool “sender2”, executed under PsExecSvc.exe

Defense Evasion and Lateral Movement

Next, the attackers use Remote Desktop Protocol (RDP) to move around the network. Using credentials for accounts with administrative privileges, they authenticate to domain controllers. Eventually, they modify the default domain group policy object (GPO). These actions allow them to disable security controls, Microsoft Defender, system monitoring, security, and notifications. In addition, attackers edit the default domain group policy settings.

Exfiltration and self-destruction

As mentioned above – BlackCat extracts data using ExMatter before launching the ransomware. This malware installs itself as a service in the system registry section in the following key. Then, a secure file transfer protocol and WebDAV send the stolen data to the attacker’s infrastructure. After exfiltrating the data, Exmatter launches a specific process to remove all its traces.

BlackCat vs. Linux

In addition to attacking Windows systems, BlackCat affiliates can attack unix systems. In this case, the payload is deployed on ESXIi hosts with virtual machines using WinSCP. The attackers then access the hosts using PuTTY to run the ransomware. Releasing malware versions adjusted to attack Linux systems appears to be a new trend among cybercriminals – and it should not be ignored.

How to Protect Against BlackCat Ransomware Attacks

  • Educating employees. Educating employees is crucial to safeguard against ransomware like BlackCat. Training them on identifying phishing emails, avoiding suspicious links and attachments, keeping software updated, and reporting any suspicious activity to IT or security personnel can reduce the risk of an attack. Regular security awareness training can inform employees about the latest threats and best practices.
  • Encrypting sensitive data. Encrypting sensitive data is an effective way to protect against BlackCat ransomware and other malware. This involves converting the data into a code requiring a decryption key. Financial records, personal information, and important files should always be encrypted. Access controls should also be implemented to restrict who can view or modify the data. By encrypting sensitive data and implementing access controls, businesses can significantly reduce the risk of attack and potential impact.
  • Backup data. Backing up and storing your data offline is the best way to keep and protect your files from any ransomware and other malware. We recommend storing a copy of essential files in a separate location. For example, you can use an external or cloud storage. If infected, you can erase files and restore data from the backup. Keep backups secure by storing them in a location physically separate from your computer or using a reputable cloud storage service with strong security and encryption.

These were the main ways to prevent negative consequences. But in addition, it is essential to use multi-factor authentication, use strong passwords, Install updates, Monitor network traffic, and Monitor file and folder activity.

BlackCat Ransomware New Update Boosts Exfiltration Speed

The post BlackCat Ransomware New Update Boosts Exfiltration Speed appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-ransomware-new-update/feed/ 0 15132
Western Digital Admits that Users’ Personal Data Was Compromised in the Company’s Hack https://gridinsoft.com/blogs/western-digital-acknowledged-attack/ https://gridinsoft.com/blogs/western-digital-acknowledged-attack/#respond Fri, 12 May 2023 09:53:23 +0000 https://gridinsoft.com/blogs/?p=14496 Western Digital, which was hit by a BlackCat hack in March 2023, has finally admitted that customers’ personal data was compromised during the incident. Users of the company’s online store were affected: the leak contained their names, billing and shipping addresses, email addresses and phone numbers. Western Digital was hacked at the end of March… Continue reading Western Digital Admits that Users’ Personal Data Was Compromised in the Company’s Hack

The post Western Digital Admits that Users’ Personal Data Was Compromised in the Company’s Hack appeared first on Gridinsoft Blog.

]]>

Western Digital, which was hit by a BlackCat hack in March 2023, has finally admitted that customers’ personal data was compromised during the incident.

Users of the company’s online store were affected: the leak contained their names, billing and shipping addresses, email addresses and phone numbers.

Western Digital was hacked at the end of March 2023. Then the attackers compromised the internal network and stole the company’s data. At the same time, ransomware was not deployed on the Western Digital network, and the files were not encrypted.

As a result of this attack, the company’s cloud services, including Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi and SanDisk Ixpand Wireless Charger, as well as mobile, desktop and web applications related to them, did not work for almost two weeks.

The responsibility for this attack, apparently, lies with the extortionist group BlackCat (aka ALPHV).

Let me remind you that Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups.

Recently, hackers have begun leaking data stolen from Western Digital and are threatening to sell the company’s stolen intellectual property, including firmware, code-signing certificates and customer personal information, on the black market unless ransomed.

At the end of last week, Western Digital representatives began to notify users of a data breach related to this attack.

Recently, an investigation revealed that around March 26, 2023, an unauthorized third party received a copy of a Western Digital database that contained limited personal information about our online store customers. The data included customer names, billing and shipping addresses, email addresses, and phone numbers. As a security measure, the database stored hashed salted passwords in an encrypted format, as well as only partial credit card numbers. We will contact affected customers directly.the company says.

Western Digital has now taken its online store offline and an investigation into the incident is still ongoing. The company says it expects to reopen the store around May 15, 2023.

Let me remind you that the media wrote that Western Digital My Cloud OS Fixes Critical Vulnerability.

The post Western Digital Admits that Users’ Personal Data Was Compromised in the Company’s Hack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/western-digital-acknowledged-attack/feed/ 0 14496
BlackCat Group Leaks Western Digital Data to the Network https://gridinsoft.com/blogs/black-cat-and-western-digital/ https://gridinsoft.com/blogs/black-cat-and-western-digital/#respond Thu, 04 May 2023 11:17:37 +0000 https://gridinsoft.com/blogs/?p=14427 The operators of the ransomware BlackCat (aka ALPHV) have published screenshots of Western Digital’s internal emails and video conferences. The hackers appear to have maintained access to the company’s systems even after Western Digital discovered and responded to the attack. Let me also remind you that we wrote that BlackCat Says It Attacked Creos Luxembourg,… Continue reading BlackCat Group Leaks Western Digital Data to the Network

The post BlackCat Group Leaks Western Digital Data to the Network appeared first on Gridinsoft Blog.

]]>

The operators of the ransomware BlackCat (aka ALPHV) have published screenshots of Western Digital’s internal emails and video conferences. The hackers appear to have maintained access to the company’s systems even after Western Digital discovered and responded to the attack.

Let me also remind you that we wrote that BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator, and also that Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups.

Western Digital was hacked at the end of March 2023. Then the attackers compromised the internal network and stole the company’s data. At the same time, ransomware was not deployed on the Western Digital network, and the files were not encrypted.

As a result of this attack, the company’s cloud services, including Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi and SanDisk Ixpand Wireless Charger, as well as mobile, desktop and web applications related to them, did not work for almost two weeks.

Let me remind you that the media wrote that Western Digital My Cloud OS Fixes Critical Vulnerability.

The fact that the incident is most likely related to a ransomware attack was first reported by TechCrunch. According to journalists, the attackers managed to steal about 10 TB of data from the company. The hackers shared samples of stolen data with TechCrunch, including files signed with stolen Western Digital keys, company phone numbers not publicly available, and screenshots of other internal data.

Black Cat and Western Digital
The first statement of hackers about the attack on WD

Although the attackers then claimed that they were not associated with the ALPHV group, soon a message appeared on the hack group’s website that Western Digital’s data would be published in the public domain if the company did not pay the ransom.

As information security researcher Dominic Alvieri now reports, in an effort to put pressure on the affected company, the hackers released 29 screenshots containing emails, documents and video conferences related to Western Digital’s response to this attack. In this way, the attackers hinted that they retained access to some Western Digital systems even after the hack was discovered (probably until April 1, 2023).

So, one screenshot includes a “media holding statement”, and the other is a letter about employees who “leak” information about the attack to journalists.

A new message from the attackers is also attached to this drain, in which they claim that they have personal information of the company’s customers and a full backup of SAP Backoffice.

Black Cat and Western Digital

The hackers say that if Western Digital does not pay the ransom, they will release the stolen files every week. They also threaten to sell the company’s stolen intellectual property on the black market, including firmware, code-signing certificates, and customers’ personal information.

The post BlackCat Group Leaks Western Digital Data to the Network appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/black-cat-and-western-digital/feed/ 0 14427
Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns https://gridinsoft.com/blogs/hacker-group-vice-society/ https://gridinsoft.com/blogs/hacker-group-vice-society/#respond Thu, 27 Oct 2022 07:35:47 +0000 https://gridinsoft.com/blogs/?p=11436 Microsoft experts have published a report on the hacker group Vice Society (aka DEV-0832), which uses ransomware to attack the educational sector in the US and other countries around the world. According to experts, the attackers are switching between using BlackCat, QuantumLocker, Zeppelin ransomware and another variant of Zeppelin, which is used under the “brand”… Continue reading Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns

The post Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns appeared first on Gridinsoft Blog.

]]>
Microsoft experts have published a report on the hacker group Vice Society (aka DEV-0832), which uses ransomware to attack the educational sector in the US and other countries around the world.

According to experts, the attackers are switching between using BlackCat, QuantumLocker, Zeppelin ransomware and another variant of Zeppelin, which is used under the “brand” of Vice Society.

Let me remind you that we also reported that BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator and also that The Austrian Company DSIRF Was Linked to the Knotweed Hack Group and the Subzero Malware.

The Vice Society group has been active since June 2021 and is known for using several varieties of ransomware in the networks of its victims. In addition to encrypting files, criminals steal data from compromised systems and use it for double extortion, threatening victims to release information online if ransom demands are not met.

One of the biggest and most famous victims of the Vice Society has recently been the second largest school district in the United States, LAUSD (Los Angeles Unified School District, Los Angeles Unified School District).

As Microsoft Security Threat Intelligence analysts now write, from July to October 2022, the group alternated the use of the malware listed above, and in September also used a modified version of its own RedAlert payload, which adds the .locked extension to encrypted files.

Bleeping Computer journalists note that in addition to the malware mentioned in the experts’ report, the group also uses the HelloKitty/Five Hands ransomware in its attacks.

In addition, sometimes Vice Society skips the data encryption step altogether, and operators prefer to simply steal confidential data from their victims’ networks and demand a ransom under the threat of a “drain”.

Microsoft writes that the group “continues to focus on organizations with weak security measures” that are easy to hack and ransom. In particular, the Vice Society clearly focuses on the education sector.

Microsoft believes that in some cases, the group did not deploy ransomware at all and likely carried out ransomware using only stolen data, the researchers write. – The shift from using RaaS BlackCat (Ransomware-as-a-Sevice, Ransomware-as-a-Service) to fully purchasable malware (Zeppelin) and Vice Society’s own custom variant indicates that DEV-0832 has extensive connections in cybercriminal environment and tests ransomware payloads for effectiveness, as well as ransomware capabilities after ransomware attacks.the experts conclude.

The post Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hacker-group-vice-society/feed/ 0 11436
BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator https://gridinsoft.com/blogs/blackcat-and-creos-luxembourg/ https://gridinsoft.com/blogs/blackcat-and-creos-luxembourg/#respond Wed, 03 Aug 2022 10:34:28 +0000 https://gridinsoft.com/blogs/?p=9814 The operators of the BlackCat ransomware (aka ALPHV) claimed responsibility for hacking Creos Luxembourg, which operates a gas pipeline and electricity grid in central Europe. Encevo, which owns Creos Luxembourg and is an energy supplier to five EU countries, announced last week that it was hacked between July 22 and 23. As a result of… Continue reading BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator

The post BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator appeared first on Gridinsoft Blog.

]]>
The operators of the BlackCat ransomware (aka ALPHV) claimed responsibility for hacking Creos Luxembourg, which operates a gas pipeline and electricity grid in central Europe.

Encevo, which owns Creos Luxembourg and is an energy supplier to five EU countries, announced last week that it was hacked between July 22 and 23. As a result of this incident, the Encevo and Creos Luxembourg customer portals were unavailable, although there were no delays or service interruptions.

Let me remind you that we also wrote that BlackCat ransomware gang publishes leaked data on the clear web site.

On July 28, the company released an update on the hack, stating that according to the preliminary results of the investigation, the attackers stole “some amount of data” from the systems they accessed.

It was reported that Encevo is not yet able to assess the consequences of the incident. The company asked customers to wait until the completion of the investigation, after which each of them should receive a personal notification. For now, all customers are advised to reset the passwords for their accounts that have been used to interact with the Encevo and Creos Luxembourg services. In addition, if these passwords were used for other sites, they should also be changed there.

Over the weekend, BlackCat published a post about the Creos Luxembourg hack, where hackers threaten to publish 180,000 files stolen from the company, totaling 150 GB. According to the attackers, this dump included contracts, agreements, passports, bills, and emails. Apparently, the group plans to publish information today.

BlackCat and Creos Luxembourg

Let me remind you that information security specialists believe that BlackCat is just a rebranding of the infamous BlackMatter/DarkSide malware. It is especially interesting that the hackers had to “rebrand” after the sensational attack on the largest pipeline operator in the United States, Colonial Pipeline, as this incident provoked interruptions in the supply of fuel and drew too much unnecessary attention to the hackers.

It seems the incident with Colonial Pipeline did not teach the hackers anything, since BlackCat had previously claimed responsibility for attacks on the German companies Oiltanking and Mabanaft, engaged in the transportation and storage of oil and petroleum products, and now the pipeline operator has again become the victim of the group.

The post BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-and-creos-luxembourg/feed/ 0 9814
BlackCat ransomware gang publishes leaked data on the clear web site https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/ https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/#respond Wed, 15 Jun 2022 22:20:06 +0000 https://gridinsoft.com/blogs/?p=8605 BlackCat/ALPHV group recently announced on its victim shaming and extortion website that it had hacked into a luxury spa and resort in the Western United States. At one moment in the last 24 hours, ALPHV posted a website with the same victim name on the domain and their logo on the front page. The ALPHV… Continue reading BlackCat ransomware gang publishes leaked data on the clear web site

The post BlackCat ransomware gang publishes leaked data on the clear web site appeared first on Gridinsoft Blog.

]]>
BlackCat/ALPHV group recently announced on its victim shaming and extortion website that it had hacked into a luxury spa and resort in the Western United States. At one moment in the last 24 hours, ALPHV posted a website with the same victim name on the domain and their logo on the front page. The ALPHV website claims to care about people’s privacy, but allows anyone to view sensitive stolen data.

BlackCat/ALPHV published the leaked data

Cybercriminal groups that practice the double extortion have tried countless ways to shame their victims into paying. The latest innovation that increased the stakes comes from the ALPHV/BlackCat ransomware group. It commonly released any stolen victim data on the Darknet page. However, these days the group has begun posting the websites of individual victims on the public Internet, and the leaked data has been made available in an easy-to-search form.

The case with the luxury resort is among the first ones, but likely not the last. Hackers’ website claims to have the personal information of 1,500 resort employees and over 2,500 residents of the facility. At the top of the page there are two “Check Yourself” buttons, one for employees and one for guests. Brett Callow, a threat analyst at security firm Emsisoft, called the ALPHV’s actions a “cunning tactic” that is sure to worry their other victims.

Cybersecurity experts are surprised with what’s happening

Callow said most of the victim-shaming blogs maintained by major ransomware groups exist on obscure, slow-loading sites on the Dark Web. Users could reach those sites only with third-party software such as Tor. But the website created by the ALPHV as part of this new pressure tactic is available in the Surface Web. Hence, everyone who wants to check the information on the certain visitor is welcome. Companies are likely to be more concerned about the prospect of their data being shared this way than just being posted on an obscure Tor site whose URL almost no one knows,” Callow said. “It will piss people off and force them to react together.” Apparently, Callow alludes to the high probability of the FBI to pay attention to the gang with such sly tricks. And that is not the single case wherethe US law enforcement were going for these crooks.

Leak site
Leak site screenshot which BlackCat gang created for Allison Resort

It’s unclear if the ALPHV plans to apply this approach to every victim, but other recent gang victims include a US school district and city. This is most likely a test run to see if it improves the results. “We are not going to stop, our leak distribution department will do everything possible to bury your business,” the victim’s website says. “At this point, you still have a chance to maintain the safety and reputation of your hotel. We strongly encourage you to be proactive in your negotiations; you don’t have much time.”

What is BlackCat/ALPHV ransomware?

Launched in November 2021, ALPHV is perhaps most notable for its programming language – Rust. Such a choice allows them to circumvent the detection from the conventional security solutions. Additionally, that made their malware cross-platform, so it can be freely launched on Windows and any of *NIX systems. ALPHV actively recruits operators from several ransomware organizations, including REvil, BlackMatter and DarkSide, offering partners up to 90% of any ransom paid by the victim organization.

BlackCat ransom note
BlackCat/ALPHV ransomware ransom note

Many security experts believe that ALPHV/BlackCat is simply a rebranding of another ransomware group, Darkside, also known as BlackMatter. That gang is responsible for the 2021 Colonial Pipeline attack. This attack lead to fuel shortages and price spikes on the U.S. East Coast. That’s why, exactly, I have mentioned that the attention from law enforcement is not new for those people. Are they fearless now?

Let’s sum the things up

The fact that the ransomware group stepped up to posting the leaked info, and in particular the information about individuals, is outrageous. Even more disgusting is that they created a page for that in the surface web. Still, such a technique can turn positive for individuals whose data is leaked. Mr. Callow I have cited above supposed there may be a silver lining to this ALPHV innovation, mentioning his wife’s conversation with Cl0p ransomware gang representatives.

“On the positive side, tricks like this mean that people can find out that their personal data has been compromised. Cl0p sent a letter to my wife last year. The company that lost her data still hasn’t made the information public or notified the affected people (at least she hasn’t heard anything from the company).”

Sure, receiving the leak notification in such a manner is not a pleasant thing. But that is way better to remain unaware at all, like it happens pretty often. Who knows, maybe that case will push the stakes and force the companies to claim about the leaks as soon as they are uncovered? What a time to be alive.

The post BlackCat ransomware gang publishes leaked data on the clear web site appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/feed/ 0 8605
BlackCat Ransomware Attacks Italian University https://gridinsoft.com/blogs/blackcat-ransomware-attacks-italian-university/ https://gridinsoft.com/blogs/blackcat-ransomware-attacks-italian-university/#respond Tue, 14 Jun 2022 22:14:11 +0000 https://gridinsoft.com/blogs/?p=8549 An Italian university was hit by BlackCat this week. The hackers demand a $4.5 million ransom. BlackCat is a new, but very potent ransomware gang that carries several distinctive features that make it harder to detect and prevent. About BlackCat ransomware BlackCat ransomware is not a newbie on the ransomware scene, however, it is far… Continue reading BlackCat Ransomware Attacks Italian University

The post BlackCat Ransomware Attacks Italian University appeared first on Gridinsoft Blog.

]]>
An Italian university was hit by BlackCat this week. The hackers demand a $4.5 million ransom. BlackCat is a new, but very potent ransomware gang that carries several distinctive features that make it harder to detect and prevent.

About BlackCat ransomware

BlackCat ransomware is not a newbie on the ransomware scene, however, it is far from its old-timers – Conti or HiddenTear. Their first activity was in November 2021, and became known for using Rust programming language in the payload. That made their malware harder to detect, and can be run on different operating systems, including Windows, FreeBSD and Linux. The distributors they sell the ransomware to seem to be pretty professional, since there are no patterns in their actions and each attack is executed differently from the other. As it is usual for the majority of modern ransomware groups, double extortion is applied. ANOZR WAY reports about 12% of attacks accounted for that ransomware in 2022 – an enormous share for such a young group.

BlackCat ransom note
Ransom note of BlackCat ransomware

On Monday, June 13, 2022, Microsoft published a blog detailing the BlackCat grouping. The company reviewed successful attacks against Windows and Linux devices, as well as VMWare instances. Microsoft called BlackCat (a.k.a. ALPHV) a prime example of the “hacker gig economy” as it actively offers the ransomware-as-a-service model. The Rust programming language helps groupings avoid detection by conventional security tools and creates problems for security professionals by making it difficult to reverse engineer the payload or compare it with similar ransomware. Typically, hackers infiltrate systems using stolen victim credentials and remote desktop applications.

BlackCat attacked the Italian university

On June 11th, 2022 (Saturday), the University of Pisa reported about the ransomware attack. Typically, their files were encrypted, but there were no ransom notes for the case. The ransom note appeared several days later – on June 14. Cybercriminals asked for $4.5 million ransom to be paid until June 16, 2022. That is a pretty big sum for such a small period, still not the record one. A year ago, Kaseya received a $70 million ransom demand from REvil ransomware – and that did not end well for the ransomware group. It is still not clear how exactly hackers managed to get into the corporate network, as well as will the ransom be paid at all. Neither the gang nor university representatives did not give any comments on this situation.

The BlackCat group looks ridiculous at the current state of ransomware. Some analysts compare it with the LockBit ransomware group, which is either known for its superior software base. And in the absence of any restrictions for possible targets make it possible for the group to take over the market share of other actors. Microsoft also reported about DEV-0504 and DEV-0237, two ransomware gangs using the latest software from BlackCat. Payload modification is common among ransomware-as-a-service groups, the company says, as it generates a lot more money and makes ransomware more difficult to detect.

The post BlackCat Ransomware Attacks Italian University appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-ransomware-attacks-italian-university/feed/ 0 8549