A “critical water utility” has been targeted in a recent ransomware attack, significantly impeding its ability to provide service in the week after Hurricane Florence hit the East Coast of the U.S.
The Onslow Water and Sewer Authority (ONWASA) said that a “sophisticated ransomware attack… has left the utility with limited computer capabilities.” While customer data was not compromised as part of the attack, the lack of computing ability will impact the timeliness of service from ONWASA “for several weeks to come.”
Read more about the ONWASA ransomware attack on Threatpost.
A new report looking at the behavior, market conduct and outcomes of ransomware attacks, suggests that there is not only honor among cyber thieves, but that the ransomware market is becoming efficient, even automated. The report by Coveware sheds light on this frequent scourge in the cyber risk landscape, which has moved “down market” as larger and more valuable targets harden their virtual defenses.
The world of cyber threats is not only misunderstood, it is woefully under-reported because of the twin stigma victims carry. The first being the potential embarrassment and business backlash of having to report compromised systems or a breach of privacy. The second being the misunderstanding that paying a cyber ransom or extortion fee may itself be illicit, which it is not.
Read more about the findings of the new Coveware report on Forbes.
The GandCrab ransomware variant has been paired up with a crypter service to further enhance the malware’s stealth capabilities. The malware has undergone a number of evolutions of late and the authors behind GandCrab appear to be constantly seeking out ways to enhance the malware’s code since its formation in January this year.
GandCrab attempts to infect systems via poorly-secured remote desktop applications, exploit kits, phishing, botnets, and PowerShell scripts. The malware usually comes as a package and is considered by many as a ransomware-as-a-service offering.
Read more about how GandCrab ransomware has been evolving on ZDNet.
Malware analysts from Slovak cyber-security firm ESET have found substantial evidence that links cyber-attacks performed against Ukraine’s power grid to the same group behind the NotPetya ransomware outbreak of June 2017. The link is not a direct one, but through a third malware strain that was spotted in an unrelated hacking operation in April this year.
Researchers say this malware –the Exaramel backdoor– was deployed from the server infrastructure of Telebots, the name of the group from whose infrastructure the NotPetya ransomware also originated.
Read more about the findings of the new ESET report on ZDNet.
Windows 10 comes with a ransomware protection feature called Controlled Folder Access that can be used to prevent modifications to files in protected folders by unknown programs. At the DerbyCon security conference, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.
Controlled Folder Access is a feature that allows you to protect folders and files so they can only be modified by whitelisted applications. Knowing that explorer.exe is whitelisted in Controlled Folder Access, Soya Aoyama, a security researcher at Fujitsu System Integration Laboratories Ltd., figured out a way to inject a malicious DLL into Explorer when it is started.
Threat actors are brute-forcing their way into enterprise endpoints running server-side remote access applications and attempting to spread the GandCrab ransomware onto other enterprise computers, SecurityScorecard researchers are warning. Their weapon of choice is Phorpiex/Trik, a bot with worm capabilities that allows it to spread to other systems by copying itself to USBs and other removable drives.
This rather unsophisticated piece of malware scans the internet for Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) servers and tries to gain access to these devices by running through a list of widely used usernames and passwords.
A newly discovered malware strain is a multi-tasking threat that besides working as ransomware and encrypting users’ files, can also log and steal their keystrokes, and add infected computers to a spam-sending botnet. This new threat is named Virobot and appears to be under development.
It’s ransomware component seems to be a unique strain that has no ties to previous ransomware family trees, according to cyber-security firm Trend Micro, whose malware analysts spotted this new treat. After encrypting files on an infected computer, Virobot shows a ransom note written in French, which seems odd because the ransomware campaign has targeted US users.
Read more about the newly discovered Virobot malware on ZDNet.
A small Scottish brewery recently became the victim of a targeted ransomware attack. This story is a reminder that you don’t have to be the biggest and most well-known company to fall victim to cyber crime.
Arran Brewery in Scotland advertised job vacancies on its site; yet after the company filled the most current vacancy for a credit control and finance assistant, resumes from around the world started pouring in. One of the resumes contained a Dharma Bip ransomware variant. When the email attachment was opened, the ransomware payload in the PDF started encrypting files, locking the company out of its computers systems. The attackers then demanded a two-bitcoin ransom, worth about $13,000.
Read more about the targeted ransomware attack on a small brewery on CSO.
Ransomware remains the top malware threat to organisations, causing millions of dollars of damage and remaining a potent tool for cyber criminals and nation-state attackers. The rise of highly targeted file-locking malware campaigns and the threat posed by nation-state backed campaigns, means ransomware “remains the key malware threat in both law enforcement and industry reporting,” warns Europol’s 2018 Internet Organised Crime Threat Assessment (IOCTA) report.
Ransomware families like Cerber, Cryptolocker, Crysis, CTBLocker, Dharma and Locky are cited among those most damaging to businesses over the past 12 months.
Read more about the findings of the new Europol report on ZDNet.
Adding to the rapidly growing list of multi-functional malware, a particularly nasty – and unique — data-destroying malware tool has been discovered that combines botnet, coin mining, ransomware, and self-propagation capabilities. The malware, dubbed Xbash, contains capabilities that when fully implemented, can help it spread very quickly inside an organization’s network.
Palo Alto Network researchers say their analysis shows the malware is being used to target Linux servers for their ransomware and botnet capabilities, and Windows servers for coin mining and self-propagation purposes.
Read more about the newly discovered Xbash malware on DarkReading.