Newsletter Archive - "eCrime.ch Ransomware Highlights"

For 2024-05-19
Article language: in English - Industry: Financial Services
SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information - SEC.gov
2024-05-16
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
Actor/variant: BlackBasta - Article language: in English
Stairwell threat report: Black Basta overview and detection rules - Stairwell
2024-05-16
The Stairwell Threat Research Team has been closely tracking the recent attacks from the Black Basta ransomware group against the US public health sector. First identified in April of 2022, Black Basta is a ransomware-as-a-service operation that emerged following the collapse of Conti. So far, this ransomware group has impacted hundreds of organizations, from construction to healthcare industries, since the group first emerged in 2022. Common tactics of Black Basta include spear-phishing, malicious PowerShell scripts (utilizing tools and other malware such as Cobalt Strike and Qakbot), and exfiltrating sensitive data.
Article language: in English - Industry: Hospitals and Health Care - Organisation/company: MediSecure Group
Health data breach: Electronic prescription provider MediSecure victim of 'large-scale' data breach, 'personal and health information' at risk
2024-05-16
Electronic prescription provider MediSecure has fallen victim to a "large scale" data breach, potentially putting Australians' private medical information at risk and sparking a national approach from the federal government.
The company released a statement on its website – which is now otherwise inactive – this afternoon confirming the breach involved "personal and health information".
Actor/variant: BlackBasta - Article language: in English
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog
2024-05-15
Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks. Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation through voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware.
Actor/variant: INC Ransom - Article language: in English - Industry: Primary and Secondary Education - Organisation/company: Rockford Public Schools
'Your data is stolen': Rockford schools hit by ransomware attack
2024-05-15
Staff at Rockford Public Schools walked into a surprise this morning with technology across the district being down and a ransom note laying on printers in multiple buildings.
Article language: in English - Industry: Insurance
NCSC and Insurance Associations Join Forces to Battle Ransomware Payments | SC Media UK
2024-05-15
The National Cyber Security Centre (NCSC) has joined forces with insurance associations in an effort to stop ransomware payments to cyber-criminals.

The Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and International Underwriting Association (IUA) have offered joint guidance in an effort to undermine the profitability of the ransom business model.
Actor/variant: Akira - Article language: in English
Uncovering Akira's privilege escalation techniques
2024-05-14
S-RM’s Incident Response team was called to a breach of a multinational agriculture company in early 2024 where we identified the threat actor as Akira. We traced the initial intrusion to an unpatched single-factor VPN appliance, which served as a gateway into the network. Once connected via the VPN, the threat actor leveraged a remote code execution (RCE) vulnerability (CVE-2021-21972) in the VMware vCenter server. This vulnerability affects the ‘uploadOVA’ function, allowing unauthenticated attackers to upload malicious files to the vulnerable ‘/ui/vropspluginui/rest/services/*’ endpoint. This enabled the threat actor to implant a reverse shell, providing remote access to the vCenter server.
Article language: in English
The role of law enforcement in remediating ransomware attacks - Sophos News
2024-05-14
While 97% of organizations hit by ransomware report the attack, the level of involvement of law enforcement and/or official bodies varies considerably by country.

In the early years of ransomware, many (if not, most) victims were reluctant to admit publicly that they had been hit for fear of exacerbating the business impact of the attack. Concerns about negative press and customer attrition led many organizations to keep quiet.

More recently, the situation has changed, with ransomware victims increasingly willing to acknowledge an attack. This development is likely driven in part by the normalization of ransomware – our (wholly anonymous) State of Ransomware reports have revealed attack rates above 50% for the last three years and public acknowledgement of an attack by well-known brands is commonplace. In short, being hit by ransomware is no longer perceived to be an automatic badge of shame.
Article language: in English - Industry: Government Administration - Organisation/company: Macon-Bibb County (GA)
Georgia county's network taken down after potential cyberattack | 13wmaz.com
2024-05-13
MACON, Ga. — The network for Macon-Bibb County was taken down over the weekend after a potential cybersecurity hack, according to Chris Floore.

Floore said they took their network offline out of an abundance of caution. They are adding additional security measures and are investigating the potential breach.

This means officers are unable to access email or landline phones at this time. The city reached out to state and federal security officials for guidance and assistance with the issue.
Actor/variant: Mallox - Article language: in English
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
2024-05-13
Recently, our team observed an incident involving our MS-SQL (Microsoft SQL) honeypot. It was targeted by an intrusion set leveraging brute-force tactics, aiming to deploy the Mallox ransomware via PureCrypter through several MS-SQL exploitation techniques.

Our investigation of Mallox samples led us to identify two affiliates with distinct modus operandi. The first focuses on exploiting vulnerable assets, while the second aims at broader compromises of information systems on a larger scale.
Article language: in French - Industry: Higher Education - Organisation/company: Collège Ahuntsic
Cyberattaque | Le Collège Ahuntsic fermé jeudi | La Presse
2024-05-16
Le Collège Ahuntsic est fermé ce jeudi à la suite d’une potentielle cyberattaque qui serait survenue la veille, en fin de journée.

Sur sa page Facebook, l’établissement explique que « toutes les activités à l’enseignement régulier et à la formation continue sont levées ».

Le Collège indique également que les employés ne sont pas tenus de travailler, sauf ceux de la sécurité, de la maintenance et de l’informatique, dont la présence sur place est requise.
Article language: in German - Industry: Higher Education - Organisation/company: Hessische Hochschule für öffentliches Management und Sicherheit
Cyberangriff trifft hessische Polizeihochschule
2024-05-17
Die Hessische Hochschule für öffentliches Management und Sicherheit (HöMS) hat bestätigt, zwischen dem 8. und 13. Februar Ziel eines Cyberangriffs geworden zu sein, bei dem eine Ransomware zum Einsatz gekommen ist. Nach aktuellen Ermittlungserkenntnissen müsse von einem Datenabfluss ausgegangen werden, heißt es in einer Pressemitteilung. Betroffen seien davon auch personenbezogene Daten.