Tag Archive for: Blogs

Ransomware Groups’ Data Leak Blogs Lie: Stop Trusting Them


Fraud Management & Cybercrime
,
Ransomware


March 15, 2024    

Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them
Ransomware leak sites are not reliable sources of data. (Shutterstock)

Ransomware gangs are not reliable sources of information. Groups that run data leak blogs – and not all do – use them to pressure new and future victims into paying for the promise of either a decryptor or a pledge to delete stolen data.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

The number of victims that end up on a data leak site is inherently incomplete. Victims who pay a ransom quickly don’t get posted; criminals don’t publish these numbers. In addition, “some groups post more of their nonpaying victims than others,” and it’s often not clear why, said Brett Callow, a threat analyst at Emsisoft.

As a result, relying on data leak blogs to build a picture of attack volume can lead to wildly inaccurate results, not only about victim count but about the impact of any given attack. Unfortunately, some cybersecurity organizations, often aided and abetted by us in the media, regularly track fresh victims claimed by ransomware groups via their Tor-based data leak blogs, aka “name and shame” sites.

“Relying on shame blogs is the last thing we should do while assessing a group threat,” said Yelisey Bohuslavskiy, chief research officer at RedSense. “Blogs reflect how often extortion fails, and the victim decides to show the criminals a middle finger. Often, the fewer victims are on the blogs, the more successful the group…

Source…

Domino Backdoor is Lead by FIN7 and Conti Actors – Blogs


A new Domino Backdoor popped out at the beginning of 2023. Since February, a new malware family coined Domino is used for attack on corporations, having Project Nemesis stealer as a final payload. Analysts say that the new backdoor is controlled and developed by ex-TrickBot/Conti actors and hackers related to the FIN7 group.

Who are Conti and FIN7?

First of all, let’s explain why the presence of actors from FIN7 and the ceased Conti gang is so noteworthy. FIN7 is a cybercrime gang that likely operates from Russia and Ukraine. It is also known under the names of Carbanak (after the backdoor they use), ITG14 and ALPHV/BlackCat. They are most notorious for collaborations with widely-known threat actors, like Ruyk and REvil ransomware, and the release of their own ransomware, called ALPHV. It is still running, and had a couple of noteworthy attacks the past year.

ALPHV onionsite
ALPHV onionsite. Gang uses it to publish data leaked from victims that refused to pay the ransom

Conti is a similar and different story simultaneously. They have built their image around an eponymous ransomware sample. Same as FIN7, this group of cybercriminals consists of actors from ex-USSR countries. However, the start of the war in February 2022 led to a quarrel among the group’s top-management and further publication of its source code. That, eventually, led to the group’s dissolution. Previous to these events, Conti was a prolific ransomware gang with a major share on the market.

Their collaboration is an expected thing. Nature abhors a vacuum, so after the gang breakup its members promptly joined other groups, or started new ones. However, the collaboration with other gangs on the creation of brand-new malware is a pretty outstanding case. That may be a great start of a new character on the scene, a new threat actor, or just a powerful boost to the FIN7 gang.

Domino Backdoor Description

Domino is a classic example of a modern backdoor that is capable of malware delivery. It is noticed for spreading a separate malware dropper, coined Domino Loader. The former provides only remote access to the targeted system, while the latter serves for malware deployment. This duo is spotted for being used in a pretty unique…

Source…

Android malware “out of control,” says Fortinet – IT World Canada Blogs (blog)

Android malware "out of control," says Fortinet
IT World Canada Blogs (blog)
Finally, the report notes that that the cybercriminals behind the ZeroAccess botnet are “making great strides (and spending a significant amount of money)” maintaining the size of their botnet. One version of ZeroAccess is used for online ad click

android botnet – read more