Tag Archive for: double

Fileless, Double Extortion, AI and More — Virtualization Review

/in


News

Ransomware in 2024: Fileless, Double Extortion, AI and More

Ransomware in 2024 will be much like ransomware in 2023 except for a few new twists that organizations should be aware of.

Along with “traditional” ransomware attacks, the threat actors are continually upgrading their game with new approaches, technology and techniques.

To help organizations get a handle on the primary security threat of our times, experts Dave Kawula and John O’Neill Sr. recently presented an online summit titled “2024 Ransomware Outlook,” which is now available for on-demand replay.

Relatively new ransomware techniques such as double extortion, Ransomware-as-a-Service (RaaS), fileless ransomware, Living-off-the-Land (LotL) attacks and more were discussed by Kawula, managing principal consultant at TriCon Elite Consulting, and O’Neill Sr., chief technologist at AWS Solutions. Both are on the front lines of the cybersecurity wars, continually helping organizations protect themselves or recover from attacks.

Here’s a summary of their thoughts on a couple ransomware concerns in 2024.

Double Extortion
This technique is a more complex and aggressive form of cyberattack compared to traditional ransomware. In a double extortion attack, cybercriminals not only encrypt the victim’s data, rendering it inaccessible, but also steal sensitive information before encrypting it.


Double Extortion </figcaption> </figure></div>
[Click on image for larger view.] Double Extortion

Key aspects of this technique include:

  • Data Encryption and Theft: The first step involves infiltrating a victim’s network and encrypting crucial data. Simultaneously, the attackers exfiltrate, or steal, sensitive data from the victim.
  • Dual Threat: Victims face two threats — the encryption of their data and the potential leak of their stolen information. This double threat significantly increases the pressure on the victim to pay the ransom.
  • Ransom Demands: The attackers demand a ransom payment to decrypt the stolen data….

Source…

CISA and FBI Issue Warning About Rhysida Ransomware Double Extortion Attacks

/in


Rhysida Ransomware Double Extortion Attacks

The threat actors behind the Rhysida ransomware engage in opportunistic attacks targeting organizations spanning various industry sectors.

The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates,” the agencies said.

“Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.”

First detected in May 2023, Rhysida makes use of the time-tested tactic of double extortion, demanding a ransom payment to decrypt victim data and threatening to publish the exfiltrated data unless the ransom is paid.

It’s also said to share overlaps with another ransomware crew known as Vice Society (aka Storm-0832 or Vanilla Tempest), owing to similar targeting patterns and the use of NTDSUtil as well as PortStarter, which has been exclusively employed by the latter.

Cybersecurity

According to statistics compiled by Malwarebytes, Rhysida has claimed five victims for the month of October 2023, putting it far behind LockBit (64), NoEscape (40), PLAY (36), ALPHV/BlackCat (29), and 8BASE (21).

The agencies described the group as engaging in opportunistic attacks to breach targets and taking advantage of living-off-the-land (LotL) techniques to facilitate lateral movement and establish VPN access.

In doing so, the idea is to evade detection by blending in with legitimate Windows systems and network activities.

Vice Society’s pivot to Rhysida has been bolstered in the wake of new research published by Sophos earlier last week, which said it observed the same threat actor using Vice Society up until June 2023, when it switched to deploying Rhysida.

The cybersecurity company is tracking the cluster under the name TAC5279.

“Notably, according to the ransomware group’s data leak site,…

Source…

EU Commission pitches double reporting of open security loopholes in cybersecurity law – EURACTIV.com

/in


The question of who should receive extremely sensitive cyber threat intelligence has been a sticking point in the negotiations on the Cyber Resilience Act. The Commission proposed a middle ground that would double the receivers.

The Cyber Resilience Act is a legislative proposal introducing security requirements for connected devices. The file is being finalised in ‘trilogues’ between the EU Commission, Council and Parliament.

Among the obligations of product manufacturers, there is one to report not only cybersecurity incidents, as has been the case in previous legislation, but also actively exploited vulnerabilities.

If a vulnerability is being actively exploited, it means there is an entry point for hackers that has not been patched yet. As a result, this type of information is highly dangerous if it falls into the wrong hands, and who should handle this task is a politically sensitive question.

In the original Commission text, ENISA, the EU cybersecurity agency, was assigned this complex work – an approach that found support in the Parliament. By contrast, European governments want to move this task to the national Computer Security Incident Response Teams (CSIRTs).

Following the last trilogue on 8 November, Euractiv reported how a possible landing zone could be envisaged by accepting the role of the CSIRTs but with a stronger involvement of ENISA and that the EU executive proposed that both bodies could receive the reporting simultaneously.

In an undated compromise text circulated after the trilogue, seen by Euractiv, the Commission put its idea in black-and-white.

“The manufacturers shall notify any actively exploited vulnerability contained in the product with digital elements that they become aware of to [the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 and ENISA],” reads the text.

National CSIRTs would, therefore, be in the driving seat of the reporting process, for instance, to request the manufacturer provide an intermediate report. The notifications would be submitted via a pan-European platform to the end-point of the CSIRT of the country where the company has its main establishment.

“A manufacturer shall…

Source…

Risk briefing: double extortion ransomware explained | Analysis

/in


What is double extortion ransomware?

Ransomware has grown from a moderate risk to a major headline-grabbing challenge.

ransomware, system hacked

 

In its simplest form, ransomware is malicious software that allows a hacker to restrict access to an individual’s or company’s vital information in some way, and then demand some form of payment to lift the restriction.

 

An extension of these traditional ransomware attacks is double extortion ransomware. This is when adversaries not only encrypt data, but they also exfiltrate a copy of the data giving them additional leverage in demanding payment.

 

As well as causing disruption and financial impact, double extortion strategies open victims up to increased reputational harm and potential compliance breaches, as well as the possibility of compensation to their clients and business partners.

 

Since the emergence of double extortion ransomware, some threat actors have further adapted their attack models to no longer focus on encryption.

 

Instead, they simply steal critical data and use that as their leverage. The continued evolution of ransomware attacks is extremely concerning due to the speed that cybercriminals can now cause long-lasting damage to an organisation’s systems.

 

How is ransomware evolving – is it on the rise? 

Ransomware is one of the most damaging and frequent forms of cyberattack facing modern organisations and is a security challenge that is constantly evolving.

 

Threat actors are going after bigger targets for bigger pay-outs, leaving no organisation safe from attack. It is a growing problem, with a total of 236.1 million ransomware attacks hitting organisations worldwide in the first half of 2022, according to Statista.

 

Despite a greater awareness of ransomware, organisations are still falling victim to this ever-growing risk.

Threat actors are continuing to ramp up their attack methods, focusing more on stealing and corrupting data rather than encrypting it for faster and easier attacks.

”Threat actors are going after bigger targets for bigger pay-outs, leaving no organisation safe from attack.”

When a threat actor encrypts data, they need to manage the whole decryption process and this exposes them to risk…

Source…