Ransomware incidents overview, July 5-12, 2021

Much of the public’s attention last week was attracted by the cyberattack of ransomware operators REvil against MSP provider Kaseya. According to some experts, the criminals used a combination of three zero-day vulnerabilities to attack the VSA – authentication bypass vulnerability, arbitrary file upload vulnerability, and code injection vulnerability.

According to the company’s CEO Fred Voccola, the ransomware attack resulted in the termination of business operations from 800 to 1,500 businesses around the world, including dental offices, architectural firms, plastic surgery centres and libraries. Coop, one of Sweden’s largest supermarket chains, was forced to close about 800 stores nationwide due to the REvil attack on Kaseya. Store employees were unable to process payments due to the loss of functionality of cash registers and self-service stations.

The US Cyber ​​and Infrastructure Security Agency (CISA) and the US Federal Bureau of Investigation (FBI) have published a guide for companies and organizations affected by the attack of the REvil ransomware operators on the MSP provider Kaseya. Federal agencies recommend checking computer systems for signs of compromise using the detection tool provided by Kaseya, and enabling multi-factor authentication on as many accounts as possible.

Cyber ​​fraudsters are taking advantage of the critical situation that has developed around attacks on Kaseya and its clients. Attackers send to potential victims of spam emails with a Cobalt Strike payload disguised as security updates for the Kaseya VSA. Criminals are sending emails to potential victims with a malicious attachment and an embedded link that looks like a patch from Microsoft for a zero-day vulnerability in Kaseya VSA, exploited by operators of the ransomware REvil. When a victim launches a malicious attachment or downloads and runs a fake patch, attackers gain permanent remote access to their computer.

Ransomware REvil’s attack on MSP provider Kaseya and its clients should have been successful, but changes in the criminals’ typical tactics and procedures resulted in only a small number of ransom payments. The reason is that the victims’ backups were not deleted and the data was not stolen, which could provide criminals with leverage over the victims. This was reported by Bleeping Computer.

A cybersecurity researcher using the PCrisk alias discovered new variants of the STOP ransomware that add the .zqqw, .zzla, and .pooe extensions to encrypted files.

White House spokeswoman Jen Psaki said that Russia is responsible for obstructing the activities of hackers on its territory, even if the state itself has nothing to do with cyberattacks.

“I emphasize that the view of US President Joe Biden and the view of the United States administration is that even though these actions against the US and the American private sector are being undertaken by criminal elements, even if the Russian government is not involved, they still are responsible, ”explained Psaki.

Sentinel Labs has published Conti ransomware analysis report. Ransomware as a Service (RaaS) has established itself among hackers as a flexible and effective malware that can run autonomously and in a controlled manner, and with unprecedented encryption speed. As of June 2021, Conti partners have demanded several million dollars from over 400 organizations.

Investment banking company Morgan Stanley reported that some customers’ personal information was compromised through a third party vendor who used the Accellion FTA solution. The stolen files were encrypted, but the attacker “was able to obtain the decryption key by hacking the Accellion FTA.” The stolen data included names, addresses, dates of birth, social security numbers, and company names.

The senior vice president of Mandiant, Charles Carmakal, said that information security experts cannot cope with a large number of attacks by ransomware operators. Ransomware attacks are now so numerous that some companies simply cannot help every recently compromised victim recover their business.

Cybersecurity researcher Jack Cable launched a site called Ransomwarewhere, which is an open-source crowdsourced ransomware payment tracker. The service allows you to view download data on payments to ransomware groups or report receipt of demands from criminals.

Cybersecurity researcher Michael Gillespie has discovered a new ransomware program that adds the .nohope extension to encrypted files.

CNA Financial Corporation, a leading US insurance company, notified customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March this year. The incident affected 75,349 people. Stolen data includes customer personal information such as names and social security numbers.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts