Tag: Ransomware

Cloud Hosting Provider DataResolution.net Battling Christmas Eve Ransomware Attack

Cloud hosting provider Dataresolution.net is struggling to bring its systems back online after suffering a ransomware infestation on Christmas Eve. The company says its systems were hit by the Ryuk ransomware, the same malware strain that crippled printing and delivery operations for multiple major U.S. newspapers over the weekend.

Data Resolution LLC provides software hosting, business continuity systems, cloud computing and data center services to some 30,000 businesses worldwide. The company has not yet responded to requests for comment.

Read more about the ransomware attack on KrebsOnSecurity.

North Korea Implicated In Attack That Stops Wall Street Journal And New York Times Presses

A server outage at Tribune Publishing on Saturday that prevented the distribution of many leading U.S. newspapers, including the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun was actually nothing of the sort.

Instead, it appears to have been a cyber-attack involving what is thought to have been a version of the highly successful Ryuk ransomware family. Interestingly, Ryuk is often attributed to the Lazarus Group which is thought to operate out of China but in the hands of North Korean threat actors.

Read more about the ransomware attack on Tribune Publishing on Forbes.

Malwarebytes: Fileless ransomware an emerging threat for U.S.

A completely fileless ransomware, dubbed Sorebrect, is “one of the first of its kind” to combine traditional ransom functionality with fileless tactics, according to a new Malwarebytes report.

In “Under the Radar: The Future of Undetected Malware,” Malwarebytes detailed four fileless attacks observed throughout 2018, including Emotet, TrickBot, SamSam and Sorebrect. The report referenced a study from the Ponemon Institute, which stated that “fileless malware attacks are estimated to account for 35% of all attacks in 2018, and they’re almost 10 times more likely to succeed than file-based attacks.”

Read more about the findings of the Malwarebytes report on TechTarget.

JungleSec Ransomware Infects Victims Through IPMI Remote Consoles

A ransomware called JungleSec is infecting victims through unsecured IPMI (Intelligent Platform Management Interface) cards since early November.

When originally reported in early November, victims were seen using Windows, Linux, and Mac, but there was no indication as to how they were being infected. Since then, BleepingComputer has spoken to multiple victims whose Linux servers were infected with the JungleSec Ransomware and they all stated the same thing; they were infected through unsecured IPMI devices.

Read more about JungleSec ransomware on BleepingComputer.

18 Months Later, WannaCry Still Lurks on Infected Computers

Eighteen months after the initial WannaCry Ransomware outbreak, the malware continues to rear its head on thousands of infected computers.

When the WannaCry infection was first unleashed, security researcher Marcus Hutchins of Kryptos Logic registered a domain that acted as a kill switch for the ransomware component of the infection. If the infection was able to connect to this kill switch domain, the ransomware component would not activate. The infection, though, would continue to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live. According to Hankins, the WannaCry kill switch domain still receives over 17 million beacons, or connections, in a one week period.

Read more about the lingering WannaCry infections on BleepingComputer.

Quarter of Healthcare Organizations Hit by Ransomware in Past Year: Study

One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over the past year, a new Kaspersky Lab survey reveals.

Ransomware attacks have plagued organizations in numerous sectors over the past several years, and the healthcare industry was one of their preferred victims, although security researchers have already noticed a downward trend in such incidents.

Read more about the findings of the new report on SecurityWeek.

Satan Ransomware Variant Exploits 10 Server-Side Flaws

A new version of ransomware that first surfaced about two years ago is garnering attention for its ability to spread via as many as ten different vulnerabilities in Windows and Linux server platforms.

“Lucky,” as the new malware is called, is a variant of Satan, a data encryption tool that first became available via a ransomware-as-a-service offering in January 2017. Like Satan, Lucky also is worm-like in behavior and capable of spreading on its own with no human interaction at all. Security vendor NSFocus spotted the variant on systems belonging to some of its financial services customers in late November, and described it as likely to cause extensive infections worldwide.

Read more about Lucky ransomware on DarkReading.

Sextortion Emails now Leading to Ransomware and Info-Stealing Trojans

Sextortion email scams have been a very successful way of generating money for criminals. A sextortion scam is when you receive an email that states someone hacked your computer and has been creating videos of you while you are using adult web sites. The emails then tell you to send them bitcoins or they will share the videos they made with all of your contacts.

A new campaign has been spotted by researchers at ProofPoint that instead of containing a bitcoin address to send a blackmail payment to, they prompt you to download a video they made of you doing certain “activities”. The downloaded zip file, though, contains a executable that will install malware onto the computer.

Read more about this new sextortion scam on BleepingComputer.

Iran-Based Hackers Indicted in March Cyberattack on Atlanta

A U.S. grand jury indicted two Iranian nationals over claims they carried out a March ransomware attack against the city of Atlanta, crippling its computer systems and causing millions of dollars in losses. Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri used ransomware known as SamSam to infect about 3,789 servers and workstations in Atlanta, the Justice Department said.

The two men, who operated from Iran, were also indicted last week by a federal grand jury in Newark, New Jersey, for a “34-month-long international computer hacking and extortion scheme,” according to the Justice Department.

Read more about the new charges against the Iranian hackers on Bloomberg.

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent’s WeChat payment service by scanning a QR code.

A report from Chinese security firm Huorong, the malware, dubbed ‘WeChat Ransom’ in some reports, emerged on December 1 and the number of infected systems has grown to over 100,000 as of December 4. The infection rate seems to have accelerated in one day, rising to the above number from just 20,000 a day before.

Read more about the massive ransomware campaign on BleepingComputer.