The infamous malware loader and initial access broker known as Bumblebee has resurfaced after a four-month absence as part of a new phishing campaign observed in February 2024. The enterprise security firm Proofpoint reported that the activity targets organizations in the US with voicemail-themed lures containing links to OneDrive URLs. "The URLs led to a Word file with names such as "ReleaseEvans#96.docm" (the digits before the file extension varied)," the company said in a recent report. "Th
Cybersecurity experts are warning that hospitals around the country are at risk for attacks like the one that is crippling operations at a premier Midwestern children’s hospital and that the US government is doing too little to prevent such breaches. Hospitals in recent years have shifted their use of online technology to support everything from telehealth to medical devices to patient records. Today, they are a favorite target for internet thieves who hold systems’ data and networks hostage f
The Colonial Pipeline ransomware infection has become a cautionary story about how ‘borking’ critical infrastructure can cause real-world pain, with fuel shortages leading to long lines and fistfights breaking out at gas stations. Or as Jen Easterly, boss of the US Cybersecurity and Infrastructure Security Agency, warned Congress recently, "Societal panic and chaos."
The CISA Director and other security and law enforcement chiefs stressed the reality in which nation-states operating against Ame
Is nothing sacred? Criminal hackers have reached a new low. The Municipality of Korneuburg in Austria said it was hit by a ransomware attack, leading to funerals reportedly being canceled and the town hall informing residents its staff can only be reached via telephone. The small town on the banks of the Danube a few kilometers north of Vienna has a population of under 13,000 people. In a statement on the municipality’s website, the town hall said its technical department was “working hard t
French multinational Schneider Electric is reporting that its Sustainability Business division suffered from a ransomware attack earlier this month. The company confirmed the incident in a statement this week that the attack affected its Resource Advisory product, a data visualization tool for sustainability information, as well as other “division specific systems.”
Schneider Electric said that data was accessed by the hackers. Bleeping Computer, which first reported the incident, said the
Albabat, also known as White Bat, is a financially motivated ransomware variant written in Rust that identifies and encrypts files important to the user and demands a ransom to release them. It first appeared in November 2023 with the variant Version 0.1.0. Version 0.3.0 was released in late December, followed by version 0.3.3 in mid-January 2024.
Link to full report: IR-24-029-001_WhiteBat.pdf
The threat actors associated with the Medusa ransomware have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims unwilling to agree to their demands. As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion, or downloading all the data. These options have a price tag depending
The least surprising headline from 2023 is that ransomware again set new records for a number of incidents and the damage inflicted. There were new headlines every week, which included big name organizations: MGM, Johnson Controls, Chlorox, Hanes Brands, Caesars Palace, and so many others.
Phishing-driven ransomware is the cyber threat that looms larger and more dangerous than all others. CISA and Cisco report that 90% of data breaches are the result of phishing attacks and monetary losses t
The banking malware known as Carbanak has been observed to be used in ransomware attacks with updated tactics. The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness. Carbanak returned in November 2023 through new distribution chains and has been distributed through compromised websites to impersonate various business-related software.
Some impersonated tools include popular
A Microsoft representative announced on 28 December 2023 that it is again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware. "The observed threat actor activity abuses the current implementation of the ms-app installer protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team said. It further noted that several cybercriminals are offering a malwar
Mortgage servicing firm LoanCare https://myloancare.com has started informing more than 1.3 million individuals of a data breach impacting their personal information. A subsidiary of Fidelity National Financial (FNF), LoanCare provides loan sub-servicing for mortgage loaners, including banks, credit unions, and mortgage firms. The data breach resulted from a cyberattack on FNF’s internal systems, LoanCare says in a notification letter sent to the impacted individuals, a copy of which was submi
A known ransomware group claims to have breached the systems of Kraft Heinz, but the food company says it cannot verify the cybercriminals’ allegations. The ransomware group named Snatch publicly named Kraft Heinz on its website on 14 December 2023, but the post appears to have been created on 16 August 2023, which indicates that the attack occurred months ago.
Snatch ransomware first appeared in 2018 and was formerly called Team Trun
Microsoft’s spokesman announced on 13 December 2023 the disruption of Storm-1152, a Cybercrime-as-a-Service (CaaS) ecosystem that created 750 million fraudulent Microsoft accounts supporting phishing, identity theft, and other schemes. The CaaS is believed to have made millions of dollars in illicit revenue by creating fraudulent accounts for other cybercrime groups to use in phishing, spam, ransomware, Distributed Denial-of-service (DDoS), and other types of attacks.
Ransomware isn’t new, yet organizations still struggle to guard against this threat. According to the Fortinet 2023 Global Ransomware Report, in 12 months, two-thirds of organizations were targeted by ransomware, with half of those falling victim to an attack. As attackers advance their tactics, security and IT leaders must prepare for the inevitability of a ransomware attack. It is no longer a matter of “if” a business will be breached but “when.” Along with business leaders, those in the C
Just three months after the National Credit Union Administration (NCUA) put into place a final rule requiring federally chartered and federally insured credit unions to notify NCUA of a "reportable cyber incident," about 60 credit unions in the United States experienced outages because of a ransomware attack on an IT provider the institutions use, according to a US federal agency. The final NCUA rule went into effect on 01 September 2023, requiring that affected credit unions should notify the
The ransomware strain known as Play is now being offered to other threat actors "as a service." The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the Ransomware-as-a-Service (RaaS) and are following step-by-step instructions from playbooks delivered with it.
Cybercriminals are increasingly finding it just as lucrative to hire their toolkits out to other crooks so they can launch attacks of their own. Investigator
“We’re open for everyone,” announces a brightly colored sign welcoming visitors to the British Library. But inside the airy building beside London’s St Pancras Station, not everyone can get what they want. Not since the library was struck by cyber criminals at the end of last month. The ransomware attack, carried out by a group known for such activity, has knocked out the website of the UK’s national library. It has also taken down the WiFi, upon which the crowds who come here to work rely.
A well-known ransomware group has recently filed a complaint with the US Securities and Exchange Commission (SEC) over the failure of a victim to disclose an alleged data breach resulting from an attack conducted by the cybercrime gang itself.
The ransomware group known as Alphv and BlackCat claims to have breached the systems of MeridianLink, https://www.meridianlink.com a California-based company that provides digital lending solutions for financial institutions and consumer data verificatio
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. GootLoader is a stealthy malware classified as a first-stage downloader designed to attack Windows-based systems. It is considered an Initial-Access-as-a-Service (IAaaS) tool used within a ransomware-as-a-service (RaaS) criminal business model. The GootLoader group's introduction of their custom bot into the late stages of their attack chain is an at
RanswomwareWhen researchers responded to an ad to join up with a Ransomware-as-a-Service (RaaS) operation, they wound up in a cybercriminal job interview with one of the most active threat actors in the affiliate business, who turns out to be behind at least five different strains of ransomware. Meet "farnetwork," who was unmasked after giving over too many specifics to a Group-IB threat researcher pretending to be a potential affiliate for the Nokoyawa ransomware group. The cybercriminal is a