Airzero Sec

We Do Not Give Up ! Trust US !

Ransomware

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid.

Authorities in Russia have apprehended 14 alleged members of the notorious REvil ransomware gang. The Russian Federal Security Service (FSB) oversaw the crackdown operation announced on Friday (January 14), based on information provided to them by US law enforcement regarding ransomware attacks on western companies. According to an FSB statement (Google-translated from the Russian language original) on the case, the suspects were later charged with "illegal circulation of means of payment." This would imply that the individuals are facing money laundering and fraud charges rather than computer intrusion charges, though there is still some ambiguity in the case. "It's unclear whether the developers or lower-level criminals were arrested," Group-IB, a threat intelligence firm, told The Daily Swig.

The FSB went on to say that "as a result of the joint actions of the FSB and the Russian Ministry of Internal Affairs, the organized criminal community ceased.” Although details are sketchy, indications suggest that Russian authorities have apprehended a number of alleged underlings rather than bosses and masterminds in a large ransomware-as-a-service criminal conspiracy.

The FSB has made available edited video highlights of its raids.

Resident REvil

REvil (also known as 'Sodinokibi') confirmed victims include global money exchange Travelex, IT services firm Kaseya, and JBS, one of the world's largest meat suppliers.

In October 2021, US authorities successfully breached and disrupted REvil's infrastructure.

The latest law enforcement action, which could be even more serious, comes on the heels of a November 2021 indictment of two men charged with using REvil ransomware in cyber-attacks against Kaseya and others.

This action entails the arrest of named (different) suspects in Poland and Romania.

‘Constant pressure’

Ransomware is still a major threat, but REvil has been largely dormant since last October, long before the latest arrests. Despite this, threat intelligence experts questioned by The Daily Swig said the threat could reappear under a different guise, so confident statements that the risk has been neutralized are, at best, premature. "REvil dropped off the radar in October as a result of constant law enforcement pressure." "The group's infrastructure has remained inactive since then," said Group-IB. "However, as we've seen with other ransomware gangs, shutdowns do not always mean the end of malicious activity." There are many RaaS [Ransomware-as-a-Service] programmes at the moment, with Group-IB analysts identifying at least 21 new affiliate programmes in the latest Hi-Tech Crime Trends report between H2 2020 and H1 2021."

Furthermore, ransomware gangs frequently relaunch their operations under new names. Such rebranding has occurred with DoppelPaymer and Avaddon. In addition, in August, we revealed the similarities between DarkSide and its apparent successor, BlackMatter."If you have any questions about the preceding topic. Please do not hesitate to contact us. Your digital partner will be Airzero Sec.

Email:[email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

With the arrival of 2022, ransomware operators are back in business. It had only been a week into the new year when investigators administered a notification about the newly discovered Lapsus$ ransomware.

What's the latest?

  • During the New Year's holiday, Impresa, Portugal's largest media conglomerate, was infected with the new Lapsus$ ransomware.
  • The gang claimed responsibility for the attack by defacing all Impresa websites with a ransom note.
  • The attack, however, had no effect on radio or cable television broadcasts.
  • While the company has reclaimed control of many of its impacted sites, the gang claims to still have access to company resources.

The overall picture

  • The Lapsus$ group had hacked several other organizations since its discovery in December 2021.
  • This included an attack on the websites of Brazil's Ministry of Health, which resulted in the loss of COVID-19 vaccination data for millions of citizens.
  • Claro and Embratel, two South American telecommunications companies, were the other two victims.

In conclusion

For cybercriminals, ransomware is a lucrative business. It's working and it's paying off. With each passing year, threat actors become more creative in their extortion and propagation techniques, posing a significant threat to organizations. Instead of becoming a sitting duck for such threats, organizations must strengthen their cybersecurity posture by implementing a robust backup process and detection measures for malicious activities.

Airzero Sec is leading the way in innovation to help you overcome your most difficult security challenges. If you have any questions about newly discovered Lapsus$ ransomware targets, please contact us.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

PYSA, which has surpassed the Conti ransomware gang, has found success with government-sector attacks.

PYSA, also known as Mespinoza, has reached Conti as the leading ransomware threat group in November. It joined the ranks of Lock bit, which has dominated the space since August.

According to NCC Group's November ransomware insights, PYSA increased its market share with a 50% increase in the number of targeted organizations, including a 400% increase in attacks against government-sector systems.

Double-Extortion and Beyond

PYSA frequently uses double-extortion against its marks, exfiltrating and encrypting data before threatening to publicly publish the data if the victim does not pay the ransom.

The FBI issued a special alert about PYSA's focus on the education sector in March, warning schools to be on the lookout for phishing lures and brute-force Remote Desktop Protocol attacks as initial-access techniques.

Everest Changes Tactics to Sell Early Access

According to NCC Group, the Russian-language ransomware positioned Everest is getting its extortion tactics to the next level, threatening to sell off access to targeted systems if their demands are not met.

According to NCC Group, Everest would sometimes skip the ransom demand entirely and instead focus on selling access. Analysts are keeping a close eye on this to see if it sparks a new trend among other groups.

"While ransomware-as-a-benefit has grown in favour in the last year, this is an example of a group preceding a ransom demand and rather of delivering access to IT infrastructure – but we may witness copycat aggression in 2022 and beyond," the report said. According to the NCC Group, the regions with the most attacks are North America and Europe.

Conti is making a comeback.

Meanwhile, the Russian-language group Conti's prevalence fell by 9.1 percent. However, the threat group is expected to make amends in December by announcing that it was the first professional ransomware attacker to develop a full weaponized attack chain against the Log4Shell vulnerability.

According to an advance report from last week, Conti's advantage is its size: The organization "plays a unique role in today's threat landscape, owing to its size."

Airzero Sec's Cybersecurity experts have been working on a variety of projects for a number of well-known organizations for many years. Use our prior experience to your advantage, whether it's to assist you in getting there or to conduct technical tests. If you have any concerns about PYSA emerging as the leading ransomware actor, please contact us. Airzero Sec will be your companion.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/