X-Industry

Last October 2020, researchers at US security company AdvIntel discovered that one of the Internet’s most troublesome malware platforms, Trickbot, had started testing something rather threatening: probing UEFI firmware chips inside targeted PCs to see whether they were vulnerable to known firmware vulnerabilities.  This was only reconnaissance, Trickbot was not infecting the SPI flash chip on which UEFI firmware resides, but the discovery is significant.

UEFI (Unified Extensible Firmware Interfa

Our Red Sky Alliance research predictions for 2021 are not necessarily in any order of importance yet presented as what we believe are the most important.

Ransomware…Ransomware… Ransomware

2020 saw a dramatic rise in ransomware activity.  While it is difficult to predict specifically what ransomware authors will do next, it can be expected that they will continue to do what has worked well for them in the past if it continues as profitable.  Ransomware ‘payment’ amounts saw a 217% rise in 2020 f

The Covid pandemic add numerous concerns with the shipment of cargo in many countries.  Part of these “concerns” are the drastic increase of ransomware into the IT and OT (operating technology) systems of the transportation sector.  Transportation Topics published a recent article regarding the growing transportation targeted ransomware threat.[1]  The authors report that ransomware attacks have jumped 715% year-over-year.   

United States Tennessee state-based trucking and logistics company For

For ransomware actors, innovation is a key to success, as crime gangs look for new ways to dupe people and make crypto-locking malware even more lucrative.  Some hacking groups have started cold-calling victims to inform them that their systems have been hit by ransomware and request a ransom to resolve the situation.  An old, yet tried and true use of chicanery.  Sometime old schemes become new schemes.  This is just the latest in a long line of shakedown tactics, which include not just using c

The cybercriminal-controlled botnet known as TrickBot has become a public enemy number one (again) for the cybersecurity community. It has survived takedown attempts by Microsoft, analysts from leading cybersecurity firms, and even US Cyber Command. It now appears that the hackers behind TrickBot are trying a new technique to infect the deepest recesses of infected machines, reaching beyond their operating systems and into their firmware.

The security firms AdvIntel and Eclypsium revealed that t

Ransomware was one of the most observed cyber threats this year to date. Ryuk and Sodinokibi, were the most observed villains in Red Sky Alliance’s client investigations, have been joined by Maze as the top three ransomware variants so far in 2020.  After launching several high-profile attacks earlier in 2020, the actors behind Ryuk ransomware seem to have gone on a vacation near the end of Q2. According to cyber threat analysts, Crimeware and their developers often have periods where they go do

Ransomware attacks on enterprises of all sizes across industry sectors are on the rise.  Cyber threat experts estimate that worldwide, ransomware is expected to infect a business every 11 seconds and projected to cost over $20 billion in 2021.  Any organization can be a victim as a successful ransomware attack is within the reach of cybercriminals everywhere.  As ransom demands have increased, organizations continue to pay these hefty sums.

The sophisticated threat actors have proven to be metic

Remember the Dark Side comics?  Well, the DarkSide criminal hacking group is no laughing matter.  The DarkSide Ransomware gang claims they are creating a distributed storage system in Iran to store and leak data stolen from victims.  DarkSide is operated as a Ransomware-as-a-Service (RaaS) where developers control programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.

DarkSide is the latest ransomware criminal gang to anno

Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm them with more traffic than the server or network can accommodate. The goal is to render the website or service inoperable.  The traffic can consist of incoming messages, requests for connections, or fake packets. In some cases, the targeted victims are threatened with a DDoS attack or attacked at a low level.

DDoS attacks have not been in the spotlight this year, due the onslaught of high dollar a

The Ragnar Locker ransomware group has decided to ratchet up the pressure on its latest high-profile victim, Italian liquor conglomerate Campari, by taking out Facebook ads threatening to release the 2TB of sensitive data it downloaded in a November 3, 2020 attack unless a US$15 million ransom is paid in Bitcoin.  Attacks that are carried out by the gang behind Ragnar Locker, break into company networks, make themselves admins, conduct reconnaissance, delete backups and deploy ransomware manuall

The past few months have seen a new ransomware variant emerge that is being distributed by the TrickBot malware. The appearance of this new ransomware, named Conti, corresponded with an observed decrease in Ryuk deployments. This suggested that Conti is the “successor” of Ryuk. Some media outlets have also reported that Conti was an evolved version of Ryuk, suggesting that it has evolved from the RYUK source code. While this may have been true for very early samples, a Red Sky analysis of recent

American toy manufacturing giant Mattel this week revealed that it fell victim to a ransomware attack that impacted some of its operations.  Founded in 1945 and headquartered in El Segundo, California, Mattel is one of the largest toy sellers in terms of revenue, with its operations divided into three segments, namely North America, International, and American Girl.  Mattel sells products such as Barbie, Fisher-Price, Monster High, American Girl, Polly Pocket, and Hot Wheels in 150 countries, an

It should come as no reprise that ransomware groups that steal a company's data and then get paid a fee to delete it don't always follow through on their promise.

The number of cases where this has happened has increased, according to a report[1] published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months. These incidents take place only for a certain category of ransomware attacks — namely those carried out by

The Maze cybercrime gang, which revolutionized the ransomware business by adding an extortion element to each attack, has issued a statement saying it has hung up its spikes and will retire, at least temporarily.  Can you believe anything a ransomware group says?  Maze posted a "retirement" notice to its darknet site on Nov. 1 saying: "This project is now closed." The word "project" appears to be a reference to the ransomware gang stating in the note that its attacks were intended to teach its v

US authorities are sharing a quick reference on Ransomware.  "Ransomware is a type of malicious software cyber actors use to deny access to systems or data.  The malicious cyber actor holds systems or data hostage until the ransom is paid.  After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems.  If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. L

Link to full report: Ransomware_Exec

The Ryuk threat actors have struck again, moving from sending a phishing email to complete encryption across the victim’s network in just five hours. That breakneck speed is partially the result of the gang using the Zerologon privilege-escalation bug (CVE-2020-1472) less than two hours after the initial phish.

The Zerologon vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Mic

US Cyber Command, Microsoft, and Europol are attacking Trickbot's malicious infrastructure, ahead of the elections. It won't stop hackers from adapting but is expected to create breathing space during the elections. Check out these slides if you missed the webinar on October 21, 2020 to find out more:

View Webinar

Ransomware attacks remain the top cyber-enabled threat seen by law enforcement agencies.  But phishing campaigns, business email compromises, and other types of fraud that are now using COVID-19 themes are increasing.  Red Sky Alliance has members, clients, and readers from around the world and this article has been written from the European Union viewpoint, which actually applies internationally to global defense against cyber-crimes.  Our source is the seventh annual Internet Organized Crime T

SMB’s Need to Prepare for Today and Tomorrow’s Cyber Threats

The cybersecurity landscape presents new challenges at businesses - every day.  Please be aware of these 10 threats to help your business avoid a major attack or breach.  When it comes to securing your network, software, and data from potential attackers, Small to Midsize Businesses (SMBs) have numerous concerns.

Security for increasingly mobile and online-focused businesses is a multifaceted problem, especially for SMBs that lack the

Microsoft collaborated with cybersecurity companies and government agencies to take down the million-device Trickbot botnet to help protect the November 3^rd US Presidential election and stop the global spread of ransomware and other malware. The botnet has been used to distribute a variety of malicious code, including the Ryuk ransomware variant, which the US government has cited as a potential threat vector against the election. 

Microsoft obtained a court order from the US District Court, East