Whitehats use DoS attack to score key victory against ransomware crooks

Whitehats use DoS attack to score key victory against ransomware crooks

Enlarge / A diagram showing how a DoS shut down an ongoing ransomware campaign. (credit: Intezer)

Whitehats used a novel denial-of-service hack to score a key victory against ransomware criminals. Unfortunately, the blackhats have struck back by updating their infrastructure, leaving the fight with no clear winner.

Researchers at security firm Intezer performed the DoS technique against ransomware dubbed QNAPCrypt, a largely undetected strain that, as its name suggests, infects network storage devices made by Taiwan-based QNAP Systems and possibly other manufacturers. The hack spread by exploiting secure shell, (or SSH) connections that used weak passwords. The researchers’ analysis found that each victim received a unique bitcoin wallet for sending ransoms, a measure that was most likely intended to prevent the attackers from being traced. The analysis also showed that QNAPCrypt only encrypted devices after they received the wallet address and a public RSA key from the command-and-control server.

Read the rest Continue Reading
Georgia courts (mostly) shrug off ransomware attack

Georgia courts (mostly) shrug off ransomware attack

Enlarge / The latest victim of an apparent wave of Ryuk ransomware has managed to fend off paying attackers, but not everyone is getting away unscathed. (credit: Getty Images)

A spokesman for Georgia’s Administrative Office of the Courts has confirmed that the AOC’s information technology team discovered ransomware on the organization’s servers on Saturday. While the spokesman could not provide specific details about the ransomware involved in the attack, its characteristics are consistent with the Ryuk ransomware that has struck multiple companies and government agencies over the past few months—including at least two Florida cities.

Bruce Shaw, communications and outreach specialist for the AOC, told Ars that a file containing contact information for the ransomware operators was left on the affected servers but that no specific ransom was demanded. “After an assessment of our system, it was determined that it would be best to take our network offline,” Shaw

Read the rest Continue Reading
Ryuk, Ryuk, Ryuk: Georgia’s courts hit by ransomware

Ryuk, Ryuk, Ryuk: Georgia’s courts hit by ransomware

Enlarge / Court systems in Georgia are down due to a ransomware attack. Surprise. (credit: Rivers Langley / SaveRivers / Wikimedia)

Georgia’s Judicial Council and Administrative Office of the Courts is the victim of the latest ransomware attack against state and local agencies. And this looks like the same type of attack that took down the systems of at least two Florida municipal governments in June.

Administrative Office of the Courts spokesman Bruce Shaw confirmed the ransomware attack to Atlanta’s Channel 11 News. The Administrative Office of the Courts’ website is currently offline.

Shaw told 11 News that some systems had not been affected by the ransomware but that all systems connected to the network had been taken offline to prevent the ransomware from spreading. The Courts’ IT department was in contact with “external agencies” to coordinate a response to the attack, Shaw said.

Read 4 remaining paragraphsRead the rest

Continue Reading
Florida LAN: Someone clicks link, again, giving Key Biscayne ransomware

Florida LAN: Someone clicks link, again, giving Key Biscayne ransomware

Enlarge / Key Biscayne, Florida, is the third Florida local government to get hit by ransomware within a month. (credit: Alicia Vera/Bloomberg via Getty Images)

A third Florida local government has reported that it has been struck by ransomware. Key Biscayne joins Lake City as a victim of Ryuk, a form of ransomware first spotted in August of 2018. Ryuk was the final piece of what has been labeled the “Triple Threat’ attack, the other two threats being Emotet and Trickbot malware.

While the attack on Riviera Beach, Florida, revealed last week was similar—all three cases start with a city employee clicking on an attachment in email and unleashing malware—it’s not certain if that attack was also based on Ryuk.

Ryuk is targeted ransomware, originally linked to the North Korean “Lazarus” threat group, but now it appears to have been adopted by non-state criminal ransomware operators as well.

Read the rest Continue Reading
“We need to up our game”—DHS cybersecurity director on Iran and ransomware

“We need to up our game”—DHS cybersecurity director on Iran and ransomware

Enlarge / Christopher Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, at a recent Senate hearing. Krebs issued a warning earlier this week on a surge in Iranian state-sponsored “malicious cyber activity.” (credit: Tom Williams/CQ Roll Call via Getty Images)

Last weekend, Cybersecurity and Infrastructure Security Agency Director Christopher Krebs issued a statement warning about elevated malicious Internet activity from state-sponsored actors in Iran. The notice corresponded to new warnings from private security research firms, including Recorded Future, of a surge in preparatory activity over the past three months by APT33, a threat group connected to the Iranian government and Iranian Revolutionary Guard Corps (IRGC, Iran’s military).

In an interview with Ars, Krebs explained that the reason for the warning went beyond that “regional activity”—attacks on Saudi Arabian companies and other organizations in the Persian Gulf and South Asia.

“Over the course of the

Read the rest Continue Reading
New ransomware infections are the worst drive-by attacks in recent memory

New ransomware infections are the worst drive-by attacks in recent memory

Enlarge (credit: Malwarebytes)

An ongoing operation that’s installing ransomware and other malware on the computers of unsuspecting website visitors is one of the most potent drive-by attack campaigns researchers have seen in recent memory.

The attacks install three pieces of malware using an exploit kit called GreenFlash Sundown, which researchers identified in 2015 and have continued to follow since. Attacks in recent weeks have spiked again as ShadowGate—one of the names given to the hacker group behind the campaign—has unleashed a highly revamped version of the exploit kit on hacked ad servers run by Web publishers. The most notable compromise is of an ad server belonging to onlinevideoconverter[.]com, a site with more than 200 million visitors per month that converts YouTube videos into video files that can be stored on a computer hard drive.

“They are ongoing and with a scale we haven’t seen in a couple of years

Read the rest Continue Reading
Baltimore ransomware nightmare could last weeks more, with big consequences

Baltimore ransomware nightmare could last weeks more, with big consequences

Enlarge / Days after Mayor “Jack” Young took over for disgraced Baltimore Mayor Catherine Pugh, ransomware took down Baltimore City’s networks. It may be weeks or months before things return to normal—and “normal” wasn’t that great, either, based on the city’s IT track record. (credit: Alex Wroblewski/Getty Images)

It’s been nearly two weeks since the City of Baltimore’s networks were shut down in response to a ransomware attack, and there’s still no end in sight to the attack’s impact. It may be weeks more before the city’s services return to something resembling normal—manual workarounds are being put in place to handle some services now, but the city’s water billing and other payment systems remain offline, as well as most of the city’s email and much of the government’s phone systems.

The ransomware attack came in the midst of a major transition at City Hall. Mayor Bernard C. “Jack” Young

Read the rest Continue Reading
These firms promise high-tech ransomware solutions—but typically just pay hackers

These firms promise high-tech ransomware solutions—but typically just pay hackers

Enlarge / Cryptolocker was one of the ransomware pioneers, bringing together file encryption and bitcoin payment. (credit: Christiaan Colen / Flickr)

This story was originally published by ProPublica. It appears here under a Creative Commons license.

From 2015 to 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the UK It caused more than $30 million in damage to at least 200 entities, including the cities of Atlanta and Newark, New Jersey, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles. It knocked out Atlanta’s online water service requests and billing systems, prompted the Colorado Department of Transportation to call in the National Guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldn’t be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6 million in ransom.

“You

Read the rest Continue Reading
“RobbinHood” ransomware takes down Baltimore city government networks

“RobbinHood” ransomware takes down Baltimore city government networks

Enlarge / Most of Baltimore City’s networks were shut down as a ransomware attack took down mail servers and other systems at a number of city departments on May 7. (credit: Alex Wroblewski / Getty images)

Systems at a number of departments of Baltimore’s city government were taken offline on May 7 by a ransomware attack. As of 9:00am today, e-mail and other services remain offline. Police, fire, and emergency response systems have not been affected by the attack, but nearly every other department of the city government has been affected in some way.

Calls to the city’s Office of Information Technology are being answered by a recording stating, “We are aware that systems are currently down. We are working to resolve the issue as quickly as possible.”

Read the rest Continue Reading
Zero-day attackers deliver a double dose of ransomware—no clicking required

Zero-day attackers deliver a double dose of ransomware—no clicking required

Enlarge (credit: Cisco Talos)

Attackers have been actively exploiting a critical zero-day vulnerability in the widely used Oracle WebLogic server to install ransomware, with no clicking or other interaction necessary on the part of end users, researchers from Cisco Talos said on Tuesday.

The vulnerability and working exploit code first became public two weeks ago on the Chinese National Vulnerability Database, according to researchers from the security educational group SANS ISC, who warned that the vulnerability was under active attack. The vulnerability is easy to exploit and gives attackers the ability to execute code of their choice on cloud servers. Because of their power, bandwidth, and use in high-security cloud environments, these servers are considered high-value targets. The disclosure prompted Oracle to release an emergency patch on Friday.

On Tuesday, researchers with Cisco Talos said CVE-2019-2725, as the vulnerability has been indexed, has been under active exploit since at

Read the rest Continue Reading