Tag Archive for: threatens

Ransomware group threatens to leak Stanford police data


Notorious ransomware gang ‘Akira’ listed Stanford University on the darknet as the target of a ransomware attack on Friday morning. Screenshots of the listing were shared on other parts of the internet, including the r/stanford subreddit and on X (formerly Twitter) by cyber risk analyst Brett Callow. 

University spokesperson Luisa Rapport confirmed “this is the same as the SUDPS cybersecurity incident” previously covered by The Daily. 

Akira claims to hold 430 gigabytes of internal data, including private information and confidential documents. They threatened to leak the information online if the University did not pay an unspecified ransom. The Stanford University Department of Public Safety processes and stores data on personnel, case reports, risk evaluations and crime involving students, faculty and other community members. It is unclear at this point how much of this data was lost or encrypted by this ransomware. 

The University wrote in a Friday statement that “there is no indication that the incident affected any other part of the university, nor did it impact police response to emergencies.” According to the statement, “the investigation is ongoing and once it is completed, we will act accordingly and be able to share more information with the community.”

The Akira listing describes Stanford as “known for its entrepreneurial character.” The group threatened that, “Soon the university will be also known for 430Gb of internal data leaked online. Private information [and] confidential documents.”

Chris Hoofnagle, law professor and director of the Center for Law & Technology at the University of California, Berkeley, wrote to The Daily that attackers interested in police entities are sometimes “a nation state or organized crime” group. 

“The first steps of identifying the scope of the breach can be quite expensive and time consuming. Almost all entities hire outside forensic firms to do the analysis,” Hoofnagle wrote.

He wrote it was “best practice” to limit information until there was information on the full scope of the breach and the network was secure. “Institutions do not want to get into a drip situation where they notify…

Source…

Ransomware attack threatens to expose McLaren Health patient data


Michigan Attorney General Dana Nessel warned this week a cyberattack against McLaren Health Care could affect a large number of patients.

McLaren Health, a healthcare system with 15 Michigan hospitals, was hit by a ransomware attack in August, according to the attorney general’s office. Ransomware, a type of malware that can shut down an entire network, is used to steal data before encrypting the system. The stolen information is then held hostage until a ransom is paid.

“This attack shows, once again, how susceptible our information infrastructure may be,” Nessel said in a statement. “Organizations that handle our most personal data have a responsibility to implement safety measures that can withstand cyber-attacks and ensure that a patient’s private health information remains private.”

A cybercriminal group called ALPHV, or BlackCat, claimed responsibility for stealing the sensitive personal health information of 2.5 million McLaren patients, a news release said. But the actual number of affected patients and the type of health information remains unknown.

ALPHV claimed in a message posted to the dark web last week the McLaren data was on the dark web and would be released in a few days unless a ransom payment was received. The group is also linked to the data breach at MGM Resorts that is reportedly costing $100 million.

McLaren shared a statement saying, “we are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible.”

The healthcare group also said it found no evidence the cybercriminals still have access to the IT system. McLaren has brought in security experts and is working with law enforcement, a news release said.

“Protecting the security and privacy of data in our systems is a top organizational priority, so we immediately launched a comprehensive investigation to understand the source of the disruption and identify what, if any, data exposure occurred,” McLaren said.

Nessel encouraged McLaren patients to protect their data and know the warning signs when someone is using private medical information:

  • A doctor’s bill for services you did not…

Source…

Agenda ransomware threatens to resurface


Stephen Osler, co-founder and business development director, Nclose.

Stephen Osler, co-founder and business development director, Nclose.

The Agenda ransomware, which quickly gained notoriety for being able to trigger customised ransomware attacks at intended targets, is on the radar again. Cyber security experts warn of the threat to South African sectors, particularly healthcare and education.

Agenda was created in the Go open source programming language (Golang) developed by Google. It was first detected in late 2022 in Indonesia, Thailand, Saudi Arabia, and South Africa, but seemed to have become dormant – until now.

According to market research by Trend Micro there have been a few incidents at the beginning of 2023, serious enough for cyber security experts to issue another warning that organisations cannot afford to let their guard down.

This is mainly because of the ransomware’s sophisticated capabilities. They enable Agenda to bypass antivirus processes, change passwords, encrypt data, and gain unauthorised access to systems using new credentials. If undetected and not contained, it has the potential to bring down networks, says Trend Micro.

Stephen Osler, co-founder and business development director at cyber security specialist Nclose, says as is the case with most ransomware tools, Agenda takes advantage of poor security practices, weak passwords, and inadequate system patching.

It also has built-in tools and algorithms that enable it to encrypt files using a string of random characters as a file extension. This file contains a ransom note detailing threats or leaks of sensitive information if the ransom isn’t paid. It also includes warnings of additional consequences if attempts are made to decrypt the files.

“So, the severity is high, and threat is high from the start,” says Osler.

South Africa a prime target

South Africa has consistently been the primary target for ransomware and business e-mail compromise among African countries, Nclose notes.

The company refers to the latest State of Ransomware report by Sophos, which states that 78% of the South African companies surveyed reported being subjected to a ransomware attack in the past year. This represents a notable increase from the 51% reported in the…

Source…

US-Canada water org confirms ‘cybersecurity incident’ after ransomware crew threatens leak • The Register


The International Joint Commission, a body that manages water rights along the US-Canada border, has confirmed its IT security was targeted, after a ransomware gang claimed it stole 80GB of data from the organization.

“The International Joint Commission has experienced a cybersecurity incident, and we are working with relevant organizations to investigate and resolve the situation,” a spokesperson for the org told The Register.

The spokesperson declined to answer specific questions about what happened, or confirm the miscreants’ data theft claims.

IJC is a cross-border water commission tasked with approving projects that affect water levels of the hundreds of lakes and rivers along the US-Canada border. It also resolves disputes over waters shared between the two countries. 

On September 7, the NoEscape ransomware crew listed IJC as a victim on its dark-web site, and claimed it breached the commission’s network, and then stole and encrypted a flood of confidential data. This info, according to the crooks, included contracts and legal documents, personal details belonging to employees and members, financial and insurance information, geological files, and “much other confidential and sensitive information.”

The cyber-crime gang has given the IJC ten days to respond to its ransom demand, or it may make the swiped info public. 

“If management continues to remain silent and does not take the step to negotiate with us, all data will be published,” the NoEscape leak notice threatened. “We have more than 50,000 confidential files, and if they become public, a new wave of problems will be colossal. For now, we will not disclose this data or operate with it, but if you continue to lie further, you know what awaits you.”

The IJC spokesperson contacted by The Register declined to comment on the ransom demand or if the commission would pay.

Who is NoEscape?

NoEscape is a ransomware-as-a-service operation that appeared in May and takes a double-extortion approach. That means instead of simply infecting victims’ machines with malware, encrypting their files and demanding a ransom to release the data, the crooks first steal the files before locking them up. They threaten to…

Source…