Tag Archives: Ransomware

Wanted Conti!

Ransomware is a growing danger day by day and unfortunately, no permanent measures can be taken against these attacks. It seems like for now, the USA seems to apply the most correct non-technical method against Ransomware attacks.

The Department of State is offering a reward of up to $10M for information leading to the identification and/or location of any leaders of the Conti ransomware group. Additional $5M reward for any information conspiring Conti. The statement was published on 6th of May.

According to several reports, annual income of Conti is about more than $150M and it seems like they are located in Russia.

We think that rewarding is an important measure against ransomware groups because although a lot of technical measures have been taken and talked about, the cases are increasing day by day. With this reward action, Conti members are likely to be exposed in a few months. We will see together whether such a measure will work.

An Estonian Sentenced Because of Ransomware Conspiracy

The US Department of Justice announced that an Estonian man – Maksim Berezan, 37 – was sentenced to 66 months in prison because of ransomware conspiracy. He was apprehended in Latvia and extradited to the United States.

According to the court documents, Berezan had participated in at least 13 ransomware attacks, seven of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled. Berezan used his ill-gotten gains to purchase two Porsches, a Ducati motorcycle, and an assortment of jewelry.

While we have long been in the business of protecting money, from the earliest days of coins and paper, to plastic, and today’s more accessible and commonplace digital currencies, we also remain in parallel footprint to the evolution of criminal behavior into cyberspace,” said Matthew Stohler, special agent at the US Secret Service.

Ransomware thieves are not safe in any dark corner of the internet in which they may think they can hide from our highly trained investigators and law enforcement partners worldwide. Together with our critical partners we are dedicated to protecting the public and securing every iteration of our money and every part of our national financial infrastructure.

Countdown for Bridgestone

Last month, Birdgestone faced a cyber attack and were shut down factories on February 27. Power outages are reported at factories in Iowa, Illinois, North Carolina, South Carolina, Tennessee and Canada for long time after the incident.

After the incident, LockBit ransomware claimed responsibility for it. It is mentioned that data leaked by hackers and started a timer for the payment of the ransom and threatened to publish the data they stole from the company if the money was not transferred on time.

While wondering whether this event is related to the ongoing Russia-Ukraine tension, the developments show that the event is completely focused on financial gain.

Meanwhile, “For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work. All we do is provide paid training to system administrators around the world on how to properly set up a corporate network. We will never, under any circumstances, take part in cyber-attacks on critical infrastructures of any country in the world or engage in any international conflicts” post published by the group.

“Many people ask us, will our international community of post-paid pentesters, threaten the west on critical infrastructure in response to cyber aggression against Russia?
Our community consists of many nationalities of the world, most of our pentesters are from the CIS including Russians and Ukrainians, but we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others in our team. Our programmers developers live permanently around the world in China, the United States, Canada, Russia and Switzerland. Our servers are located in the Netherlands and the Seychelles, we are all simple and peaceful people, we are all Earthlings.”

Biggest Insider Threat – Lapsus$ Job Advertisement

A few months ago, there were reports that threat groups were contacting the employees of the companies they were planning to attack and asked for their support to infiltrate in exchange for a certain share. It seems that this issue is getting more and more important every day.

Lastly, Lapsus$ group published a job advertisement that they are recruiting employees that working in certain companies including Claro, Telefonica, ATT, Microsoft, Apple and similar ones.

Insider threat is already a major risk for companies because they are trusted people of the company and have access to various data and systems. Until now, we have mostly treated internal threats as individual initiatives. These may be some employees who are unhappy, want to achieve different personal gains, just careless ones who sending e-mail to wrong destinations or untrained ones making mistakes on working systems. But with employees who started working with threat groups, insider threat goes to another dimension. Now, with the support and motivation of the threat groups, insider threats becomes more dangerous as knowing what she is doing really and is focused.

In the job advertisement, Lapsus$ also calls for the ones who are not employee but already has VPN to these companies. This also shows us the importance of the 3rd party risk and NDA agreements. even if you take adequate precautions with your own users inside – which is not 100% possible, this 3rd party connections poses great risk.

There is a lot to be done about this. As a post incident activity, the penalties given to the cases that have emerged can provide a deterrent in this regard. But the most important thing undoubtedly should be to increase the loyalty of the users to the company.

Latest News about Russia & Ukraine Cyber War

Before Russian troops entered Ukraine, both government and companies of Ukraine faced several cyber attacks. While these cyber attacks are expected to spread all over the world, the attacks on Ukraine continue. A few days ago, according to Reuters, Ukraine asks hackers to help defending its cyber structure. “The government of Ukraine is asking for volunteers from the country’s hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, according two people involved in the project” said Reuters. “Ukrainian cyber community! It’s time to get involved in the cyber defense of our country,” said in the post..

While all this is happening, Anonymous, international hacking collective announced they support Ukraine and has declared war against Russia. After this statement, we saw that several Russian government and company websites faced issues.

As recent progress, Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of Belarusian state-sponsored hackers targeting its military personnel as a phishing campaign. “Mass phishing emails have recently been observed targeting private ‘i.ua’ and ‘meta.ua’ accounts of Ukrainian military personnel and related individuals.. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages” the CERT-UA said.

Before, in November, Mandiant announced that UNC1151 Assessed with High Confidence to have Links to Belarus government. UNC is a naming of Mandiant for the threat actors that under investigation, but not yet matched to an existing group. and Ukraine now blames UNC1151 group for these attacks.

UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany,” Mandiant researchers said in the report. “The targeting also includes Belarusian dissidents, media entities, and journalists.

Another statement on the subject, some threat actors behind Conti ransomware posted a warning Friday that said it was “officially announcing a full support of Russian government.” Previously, Mandiant announced that “at least a portion of actors involved with Conti ransomware are based in Russia“. As in the past, it seems that Russian government is taking advantage of their talents.

What is CONTI?

CONTI is a Windows ransomware family that has been used in recent years. Later, a linux version was also encountered. Until today, many different people using this ransomware were encountered in the Russian forums.

Retired Ransomware Developers Release Decryption Keys

Decryption keys for Egregor, Sekhmet and Maze shared by someone claiming to be the developer of all three malware.

The keys were published in BleepingComputer forum. As stated in the forum post, this was a planned leak and is not related to the recent law enforcement against attackers. Again, according to the post, none of their team members will ever return to ransomware attacks and the source code of the malware has been destroyed.

The post was containing a link to download a 7zip file with four archives containing the Maze, Egregor and Sekhmet decryption keys, as well as the source code for the M0yv malware used by the operators. However, because of being malicious, the link removed from post. It may be possible to contact to get them again.

Meanwhile, some experts corrected the decryption keys’ performance.

The Newest Ransomware: Epsilon Red

Sophos announced that analysts uncovered a new ransomware – called Epsilon Red – that developed in Go programming language. The code is placed in PowerShell script.

This malicious file is written in Go programming language and a 64-bit executable file. It is said that spreading in systems by exploiting security vulnerabilities in Microsoft Exchange servers. It is using vulnerabilities like CVE-2020-1472, CVE-2021-26855 and CVE-2021-27065 that recently discovered Microsoft Exchange servers vulnerabilities. Epsilon Red ransomware scans files and encrypts for ransom when it reach to the target systems. It seems like still there are more than three thousand exchange servers that including these vulnerabilities and this shows us Epsilon Red attacks would be more painful.

According to Sophos, Epsilon Red has been seen in hospitality industry in USA mostly, and it seems like one of their victims paid 4.29 BTC after being affected.

For not being affected, organizations should keep the applications up to date and detect these IoCs below to prevent this attack. Also you can read our short post about prevention agains ransomwares.

Domain:

epsilons.red

Hash:

57ee78299598170c766ff73cefca9e78b9b81ac6999e8adb61903bc89be313ba

ce5ba1e5d70d95d52b89a1b8278ff8dd4d1e25c38c90ca202b43bdc014795d78

699ffb898864bf804cf726f39b5e8168d55e44fc1584b71ba25e31b43ae543e8

35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7

7259975d7e3b3d9d059a38f4393ab920764b46ca243e192e08f7699999382e07

172bbf46e5f46dd7a9ea0c22054b644f60efc3a9ad26a6f0e95ca57e38af60a7

9845619cb9c3612055a934c4270568391832eab40a66dbb22b1b37fa05559c92

5120998fa1482d4d0d0099d91aab2af647c0272819d7dcf792eec01c77ab9391

4d6272aeadf7fc131ac126dc07d7bfd2e878d359e5e7bb5376a67295ce05fc15

0794c8630f40f04c0e7cea40f11dc3f1a829a3be69852fe9e184aa8b7ed20797

7a8128f8788524e54a69619b69870dfd4c50db46e3eb786899f7275dab73d2d9

4eaf5e93953756bc2196bfcfb030b6eaad687fa1e8db9f47b09819f3b4315230

a9a6d35469e471666758ed5d1174edc5b650c0acb2c351213eadfb408f74bdcb

039da6b099303fdfd087bb7df94012780dfe375c67234ce495c78cf2dcf7fd9d

ee10f3a798aaa03f4ced2ddb28d2b36fe415ea2cbbd9c3b97b2a230a72d77f5c

5aa7de7eab570522c93d337d395396057033ad6596db4a0bda15d77a6d4c6c3a

84755b2177b72364918f18c62a23854e7a8a66c4f5005cc040357850adf9d811

c1f963aba616680e611601e446955e9552c69db23dabab8444718d82ad830029

8c294f1ef05df823460bd11ce34ea7860178de6bc3d9b0127a3b9c08cf62437f

Virtual Machines Roles in Growing Number of Ransomware Attacks

Symantec Threat Hunter Team published a post about evidence that an increasing number of ransomware attackers are using virtual machines (VMs) in order to run their ransomware payloads on compromised computers. The purpose of using VMs on ransomware attacks is thought to hide the malicious activities. It is stated that this method is used in order to bypass the security solutions in virtual machines and to ensure that malicious codes can be hidden in the virtual machine.

In the past, a similar attack was seen on Windows XP machines by RagnarLocker ransomware. The same method now is used in Windows 7 machines.

It is important to prevent the installation of unauthorized virtual machines in corporate networks and implement NDR solutions to capture the anomalies in the network. In addition, Symantec published these IoCs to detect;

  • 2eae8e1c2e59527b8b4bb454a51b65f0ea1b0b7476e1c80b385f579328752836 – Installer
  • 9f801a8d6b4801b8f120be9e5a157b0d1fc3bbf6ba11a7d202a9060e60b707d8 – runner.exe
  • e5291bae18b0fa3239503ab676cacb12f58a69eb2ec1fd3d0c0702b5a29246cb – VirtualBox
  • d89bd47fb457908e8d65f705f091372251bae3603f5ff59afb2436abfcf976d8 – Mountlocker
  • 8f247e4149742532b8a0258afd31466f968af7b5ac01fdb7960ac8c0643d2499 – Mountlocker

A Quick Guide for Ransomware Protection

Unfortunately, ransomware problem is growing every day, although a lot of cases we hear and tens of articles and webinars are published about it. In this post, I try to explain the Protection processes against ransomware. Then, with more posts, I will try to explain every steps deeper.

If you have been exposed to it and your files are encrypted, there is nothing much to do. So, it may be important to read these measures.

  1. Asset Management: You must know all assets in your organization, especially all assets connecting to internet. Meanwhile, you must know immediately when a new device connected to your network. Additionally, devices using Outlook is also important. A device may be able to Access to internet with restiricted policies but it can get email from outside of the organization. Restriction policies on proxys and firewalls cannot work perfectly, and always have some problems on not categorized or newly websites. So, an asset management device and a NAC solution is very important to manage devices.
  2. Do not use RDP: Remote Desktop Protocol is a common method for attackers to remotely connect to systems, or move laterally and deploy malware. Protocols like Telnet, SSH, SMB, and RDP should not be open to the internet. You should continuously scan your public IP addresses to check whether there is a protocol like these open to the internet. If you still need to open, pay attention to these;
    1. Local admin accounts should be kept in safe with a PAM solution
    2. Change the default RDP port
    3. Implement IP restriction if possible
    4. Allow remote connection only with recording systems
    5. Multifactor authentication should be implemented.
    6. Network Level Authentication (NLA) can be activated on devices. NLA provides a pre authentication step and also protects the System against brute force attacks.
    7. Implement security policies via Group Policy, and deny local changes
  1. Disable administrative and hidden shares on clients:
  1. Block some file types for incoming emails: Block emails including executive files. IF there are some file types that you cannot block because of the business, you should you some measures like sandbox for incoming emails.
  1. Backup and regularly backup tests: If you lose your all sensitive data, it is very important to have usable backups. For this, firstly, you should separate and isolate your backup network from all others. So, in a situation of compromise, backup networks will be safe. If you lose your backup data too with all data, there is no any other way other than pay the ransom.

Separating and isolating the backup network is a good start, but it is not enough. You must regularly test backup data and should be ensure that they are working. If you have an unusable backup data when you need it, it only means you spent hundereds of gigabytes for nothing.

There is no a System protecting %100 against ransomware, so backups are becoming more critical in this situation.

  1. Patch your systems regularly: Especially, systems that are open to the internet should be patched quickly. For this, you should have test systems for all your critical systems and patch these tests firstly, then take action quickly for the production systems.
  1. Awareness: %91 of the attacks begins with email. For an attacker, it s very easy to deceive a user rather than trying to find weaknesses and exploit them. Even if you have hundreds of measurements agains cyber attacks, if one of your users accept and click a malicious email, it means you can be exposed.

A Sad Story: Don’t Invest, Just Prodigalize

Last week, a friend called me, gave some bad news about a company. The company was looking for help since they became a victim of Egregor ransomware and trying to learn what to do against attacker since the attacker got their all data, encrypted it and gave three days to be paid 500k dollars. The attacker threatened them to publish their data in public in three days. Meanwhile, the only problem was not that all data would be published publicly, but also they lost all their private data. But, how can it be possible?

Ransomware is the biggest problem of the cyber world for some years. We heard about it, work on it and have seen paid bitcoins too much in these years. There are tens (or maybe hundreds) of webinars, talks and articles about it, trying to help about being safe against ransomware. It is ok while the weakest link is human, it is possible to be exposed a ransomware but it is not too difficult to confine it to a small area. 

The company I told about above was a chemical company and of course has too many private data like formulas. I mean they also lost their backups while I am saying they lost all their data. Since, they did not isolate their backup network, their backups was also being encrypted. Meanwhile, they have some backup tapes but cannot use them because they have never tested whether the backup tapes working, and of course they did not when the company need them. 

There are some basic prevention steps against ransomware. If we mention briefly, we can say user awareness, regular phishing tests, not only an anti-spam product but also a sandbox or another technology against malicious emails, EDR to response faster against a malicious behavior, NDR to determine the anomaly in the network, to backup data and test these backups regularly, to isolate backup network so infiltrated attackers cannot harm backups, to isolate private data and apply need to know, to limit users’ internet access, and more. the list seems too long but most of them do not require much expenditure. But it if you do not invest to professionals and to any technology, then you just prodigalize your money. However, you can never count lost reputation and also secret formulas and data. 

All these measures can take too much. I can understand if a company cannot invest all of them for security. But as I said above, this company’s backup network is not isolated and can be accessed from all other networks. And, as I learnt, they only use an antivirus software but it is not up to date, and I am sure they do not track whether all PCs or servers have this antivirus. So, like these measures, most of them are not expensive. To have these measures at least, every company needs to invest talented security professionals to save money. However, I think, any of these measures cost more than 500k$ + reputation + publicly published private data. To invest security is not wasting money. It is directly saving money. Everyone needs to understand this without living.