Tag Archive for: bust

Feds bust Blackcat malware ring

/in


The US Department of Justice has shut down what it claims to be one of the most prolific ransomware operations on the planet.

The Justice Department said that its Southern Florida District Office was leading the charge against operators of the ransomware family that is said to have compromised thousands of victims.

Police used a purpose-built decryption tool to help victims of the malware recover their data without the need to pay the attackers ransom demands and provide cash for cybercrime operations.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said deputy attorney general Lisa Monaco.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online.”

Like most modern ransomware operations, Blackcat operates under a service model; the ransomware authors sell off a license to third-party hackers who then do the dirty work of infiltrating networks and running the ransomware code.

“Before encrypting the victim system, the affiliate will exfiltrate or steal sensitive data,” the DOJ said.

“The affiliate then seeks a ransom in exchange for decrypting the victim’s system and not publishing the stolen data. Blackcat actors attempt to target the most sensitive data in a victim’s system to increase the pressure to pay.”

Officials with the DOJ passed credit on to law enforcement in the UK, Spain, Germany, Austria, Australia, and Europol.

According to officials, the crackdown on the Blackcat group (aka ALPHV and Noberus) has lead to some 500 companies being able to regain access to systems that had been locked by ransomware.

“The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems,” the DOJ said.

“To date, the FBI has worked with dozens of victims in the United States and internationally to implement this solution, saving multiple victims from ransom demands totaling approximately $68m.”

Source…

Police Bust Ransomware Gang in Ukraine for Attacking 1,800 Victims

/in


European police say they’ve dismantled a ransomware group in Ukraine that was behind a series of high-profile attacks on corporations across the globe.

Law enforcement arrested the suspected 32-year-old ringleader to the group, along with four of his most active accomplices, Europol said on Tuesday. Law enforcement agencies including officials from the US, also helped investigate 30 properties across Ukraine, including in the capital of Kyiv, tied to the gang. 

Europol didn’t say whether the gang developed the ransomware code. But the group used several ransomware strains, including “LockerGoga, MegaCortex, HIVE and Dharma” to attack companies. This suggests they operated as an “affiliate,” buying access to the attacks from ransomware code developers.

Police investigating the hacker's phones.

(Credit: Cyber Police of Ukraine)

Europol adds: “The suspects had different roles in this criminal organization. Some of them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.”

To spread ransomware to the corporations, the group resorted to sending phishing emails to employees or guessing their login passwords. Once inside a company network, the gang would use other tools, including the Trickbot malware, to gain wider access. The ensuing ransomware attack would then encrypt servers across the network, forcing the victim companies to pay up in cryptocurrency or risk losing their data forever. 

“These attacks are believed to have affected over 1,800 victims in 71 countries,” added the European Union Agency for Criminal Justice Cooperation. “The perpetrators targeted large corporations, effectively bringing their business to a standstill and causing losses of at least several hundred millions of euros.” 

The Cyber Police of Ukraine also assisted in taking down the gang, which allegedly began targeting companies starting in 2018. In one example, the group demanded a company in the Netherlands pay 450 Bitcoin ($16.8 million in today’s value) to restore their servers. 

Recommended by Our Editors

“It has been established that over several years of criminal…

Source…

European Police, FBI Bust Up International Ransomware Crime Ring

/in


by D. Howard Kass • Mar 8, 2023

A coordinated international law enforcement operation has seriously dented a Russia-linked DoppelPaymer ransomware gang responsible for numerous digital hijackings and extortions worldwide since 2019, according to a Europol briefing.

Nations Team Up to Bust Gang

German and Ukrainian police, working in concert with Europol, the Dutch police and the FBI, last month raided a house belonging to a German national believed to be a major player in the crime syndicate, interrogated suspects and seized equipment for forensic analysis.

Investigators said they identified 11 individuals linked to the DoppelPaymer group that has operated in various iterations since at least 2010. The gang is said to have ties to a Russia-based outfit formerly engaged in online banking theft that pre-dated ransomware.

Despite the “current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia,” Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group.

During the searches, they seized electronic equipment, which is currently under forensic examination, to determine the suspects’ roles and links to other co-conspirators, Europol said. The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv.

German police have also issued arrest warrants for three additional suspects based in Russia: Igor Turashev, Igor Garshin and Irina Zemlyanikina. Turashev, who is also wanted by the FBI for his alleged role in the sanctioned Evil Corp hacking group, is accused of “having committed acts of blackmail and computer sabotage in particularly serious cases.”

On the days the law enforcement operation was carried out, Europol said it deployed three experts to Germany to cross-check operational information against Europol’s databases and to provide further operational analysis, crypto tracing and forensic support. The data and other related cases are expected to trigger further investigative activities.

Ransoms Reach $42 million

Dirk Kunze, who heads the cybercrime department with North Rhine-Westphalia state police, told the Associated Press…

Source…

Nokoyawa Ransomware: Rust or Bust

/in


Key Points

Nokoyawa is a 64-bit Windows-based ransomware family that emerged in February 2022
The threat group behind Nokoyawa performs double extortion ransomware attacks: exfiltrating sensitive information from organizations, followed by file encryption and a ransom payment demand
Nokoyawa was initially written in the C programming language using Elliptic Curve Cryptography (ECC) with SECT233R1 and Salsa20 for file encryption
In September 2022, Nokoyawa was rewritten in the Rust programming language using ECC with the Curve25519 and Salsa20 for file encryption
The Rust-based Nokoyama ransomware 2.0 provides threat actors with runtime flexibility via a configuration parameter that is passed via the command-line

Nokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as Karma. Nokoyawa ransomware’s lineage can further be traced back to Nemty ransomware. The original version of Nokoyawa ransomware was written in the C programming language and file encryption utilized asymmetric Elliptic Curve Cryptography (ECC) with Curve SECT233R1 (a.k.a. NIST B-233) using the Tiny-ECDH open source library combined with a per file Salsa20 symmetric key. Nokoyawa ransomware 2.0 still uses Salsa20 for symmetric encryption, but the elliptic curve was replaced with Curve25519.

Nokoyawa 2.0 was developed using the Rust programming language and appears to have been created in late September 2022. Nokoyawa is not the first ransomware family to be written in Rust. Previously, the Hive ransomware author migrated from the Go (a.k.a. Golang) programming language to Rust. The BlackCat/ALPHV ransomware family is also compiled in Rust. The increase in the popularity of the Rust programming language may be due to its emphasis on performance and concurrency, which can make a ransomware’s file encryption more efficient. Similar to the previous version of Nokoyawa, the Rust variant is compiled only for 64-bit versions of Windows.

This blog provides a technical analysis of Nokoyawa 2.0 including its new configuration, encryption algorithms, and data leak site.

Technical Analysis

Nokoyawa 2.0 cannot be executed without providing the required command-line arguments….

Source…