When we talk about the Ransomware these days the hike in these attacks is increased and the threat actor worked with such dedication that we all become aware or next maybe you.

Russian Hacker Evil Corp has worked and accessed at least 31 organization networks in order to cripple systems and demand millions of dollars in ransom.

The US Justice Department has indicated the two alleged leaders in December 2019.

As a report mentioned from BBC that last year the US authorities filed charges against Evil Corp which alleged leaders Maskim Yakubets and Igor Turashev which are accused of using malware and stealing millions of dollars from the group which includes schools and religious organizations in over 40 organizations.

Even the organization who is finding these goons also announced $5m rewards for the information to their arrest that was the largest amount ever offered for a cyber-criminal.

According to the Gallup Poll, around 62% of the threat comes with the Americans who were working from home and still supporting the company or family in this pandemic time.

The US election is ahead and just a month away that’s why the federal and local officials have been putting hard measures in place to protect the voter records as well as manage safe voting practices amid the pandemic.

Attack Analysis

A firm named Symantec Corporation which monitors the corporate and government networks has released a notice of threat warning on Thursday night as it was identified.

The attacks which the Symantec have described as a relatively new type of the ransomware which was called WastedLocker which the Evil crop attributed it.

Ransomware is the computer virus that threatens the victim if they won’t pay the amount then their files are deleted. The most important this (Wasted Locker ransomware) virus demands ransoms around $500,000 to $ 1m and then after they unlock the file it seizes.

The Symantec firm also mentioned the “Vast majority of targets are the major corporations which include many household names and the main they target the 500 companies.

They attacked almost all the companies which are US-based and expect one owned.

According to the Symantec firm, the Russian hacker has breached the network of these companies and was “laying the groundwork” for the future ransomware attack, and that would let them block access to data and demand millions of dollars.

The New York Times also mentioned, “ The Russian hacker is using VPN for taking advantage of employees and now using virtual private networks(VPNs) to access work systems”.

Even though they use VPNs to identify which company a user works for, they are used to infect the computer when they visit a public or commercial site. After that even after the user connects then the Russian hacker can attack.

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post Russian Hacker Evil Crop Group targets US workers at home appeared first on Vednam.

To prove the reality of the attack, even the cyber attackers have uploaded the six screenshots to the ‘CLOP_-LEAKS’ site. After the investigation, the expert claims that expose data is highly sensitive which include the bank document, transaction details, vouchers, conversations with the different baking institute and the other finance-related details have been exposed.

As per Report, the experts are still under investigation which re alleged attack and still not gets clear whether it was really initiated. The Bad Packets in which the expert class has been found technically vulnerable in the Indiabulls Server. The threat actor has exploited the Citrix Netscaler ADC VPN gateway which came, in turn, out to be vulnerable for the CVE-2019-19781 vulnerability.

Finally, apart from the six leaked files which were found on the Clop ransomware site, there are no other specificities known which expect that the authorities of Indiabulls are expected to pay the ransom within 24 hours.

The Cyber attackers also promise to expose the leaked data which are related to pharmaceuticals and Indiabulls housing finance Limited.

Exposed to Leak Site

As you all are aware either Maze being an initiator of the data breach, the ransomware families followed the examples and launched such sites which are mainly used to blackmail the victims and induce them to pay the ransom amount.

The first followers of the leak site are Sodinokibi/REvil, memory and DoppelPaymer were the first followers. The Nefilim, Sekhmet, and Clop have also started following the trend.

The Newly leak site has been fulfilled with the victim’s credentials.

Recently On March 13, The Execu Pharm pharmaceuticals were compromised by the cyber threat actor and the hit by the CLOP ransomware. The hackers are able to manage and lock the server with 163GB of data. If we find the result is that data exposed by the threat actor at the end.

The Criminal’s minds behind the CLOP ransomware hit have exposed around thousand of emails, accounting information, financial records, backups, and other highly sensitive data with the proof attack.

Another Maastricht University, the University data are also compromised and the whole file is encrypted with the virus and they paid 30 bitcoin for the criminals in exchange for the data.

Recently, we are discussing the CLOP ransomware attack over the India Bull group that hasn’t yet been confirmed.

CLOP Ransomware

The CLOP Ransomware first discovered and found in February 2019. It is a well-known ransomware family dubbed as CryptoMIx. The developer changed the behavior significantly and the ransomware became rather difficult to predict.

CLOP Ransomware is famous because of the stands out in the crowd of ransomware family and the killing process of the Windows 10 Software, IDEs, Language, Microsoft Office applications, Microsoft Exchange, SQL Exchange, SQL Server, My SQL, BAckupEXec, etc.

The Capability of killing 663 Windows processes before running a file encryption algorithm that was not such common behavior and the process killed by the CLOP is extraordinary and experts cannot understand for what purpose some of these processes are targeted. 

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post Indiabulls group going to pay CLOP Ransomware : Report appeared first on Vednam.

The tremendous increase in the number of cyber-attacks compared with the same period last year. This year the average ransom payment has nearly doubled over the years. Even with the countries which have the most advanced security technologies are also being attacked.

The several Florence officials may have been alerted that their information technology systems were hacked by the hackers who specialize in deploying ransomware.

The mayor mentioned that hackers may have access to the city’s computer systems for more than a month.

The Florence City Council voted unanimously at an emergency meeting that pays the ransom from the city insurance fund in order to preserve the information of city workers and customers.

On May 26, acting on a tip from Milwaukee which held the security KrebsOnSecurity contacted the office of Florence’s mayor to alert them that the Windows 10 system in their IT environment had been commandeered by a ransomware gang.

As Mayor Holt said “ We are having to approach it from the standpoint that we’re going to have to assume -we know they have some of our information, we don’t know that they have critical information frankly don’t think they do but we don’t know”

After that mayor, Holt has confirmed that the city is being deceived by the ransomware gang called DoppelPaymer.

Doopelpaymer has a reputation for never releasing any information once the ransom is paid.

The city will seek proof that the hacker deleted the stolen information.

“Ransom has been a big problem for some time but that was a worrying chapter for me as the Decatur information technology Director Brad Philips said”.

if you feel any suggestions for this article.Please!  let me know in the comment section

The post $300,000 Ransomware paid by city of Florence after attack appeared first on Vednam.

People Know about the Cognizant that it is one of the big IT firms which has more than 3 Lakh employees and it provides the IT services which include digital, technology, consulting, and operations services.

The Attack affect

The day April 17 is not good for the company, the first the internal system is hit by the Maze ransomware. The company has informed the clients about the attack and provided them with the indicator of compromise (IOCs) and the other technical information of defensive nature.

The company has initially learned that the attackers have staged and likely exfiltered a limited amount of data from the cognizant’s systems.

The company has further investigation that was found that the majority of the personal information was also exposed.

When we talk about the personal information that may impact the information related to our corporate credit cards.

The company has also informed all the associates who gave an active corporate credit card and they can offer credit and identity theft monitoring services.

The company has built a team and mentioned that they continue to monitor the account for any fraudulent activities and we have been informed that they have not seen an increase in fraud for our accounts.

Ransomware attacks have become an easy and malicious way of robbing individuals and companies can cost billions of dollars not to mention the privacy and safety implications.

The company also published the breach notification letter states that the Maze ransomware is active in the Cognizant network between April 9 and 11.

The post After Ransomware attacks Cognizant Confirms Data Breach appeared first on Vednam.

Thanos was discovered to be the sole ransomware family which was used by the researcher as a RIPlace tactic. If you know about the place that was a windows file system technology that can be used to maliciously alter files and allow the cyber attacker to bypass the anti-ransomware methods.

History

1. The first story of the thanos started at the end of October 2019 and that is Quimera ransomware.
2. By early 2020, It has started being identified as Hakbit which is based on core functionality using the string and code are similar.
3. According to a report, the ransomware was finally identified as Thanos which is being promoted as a RaaS on a Russian hacker’s forums in February.
4. It was also said that ransomware attacks have been discovered with Thanos 25% surge in any attack of the first three months of 2020 as compared to the final three months of 2019.

About Thanos Ransomware

1. The client code of Thanos is written in C#
2. The client end uses the encryption mode of AES-256 which is in CBC mode.
3. The Thanos client has also been offered by lateral-movement function with SharpExe.

Final

It was believed that the ransomware will continue to be used as a weapon by the operator in different ways. Carbon Back and Kaspersky updated the software post-disclosure of the latest technique used by Thanos.

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler and Linkedin to know more exclusive content we post.

The post Thanos Ransomware : Another Popular Ransomware family appeared first on Vednam.

Microsoft Security has announced that pony final is a new variety of ransomware and it not an automatic threat it was manually controlled ransomware.

In summary, this is human-operated ransomware attacks and the attackers hit the corporate networks to deploy the ransomware.

Finding the tweet of Microsoft mentioned,” The ponyFinal is java-based ransomware that is deployed in human-operated ransomware attacks while the java-based ransomware is not unheard of, they’re not as common as other threat file types”

Microsoft also told the organization to find the mode of transmission for the PonyFinal.many organizations mention earlier they were under attacks of the PonyFinal ransomware.

How are the PonyFinal Functions?

First, the attacker finds the mode of attacking where they find the easy way to reach the target destination. They find the wat to reach the organization management system server where they use the PonyFinal and used the weak password methods which you know they might use a brute force attack and enter the organization. After all, they use to execute the ransomware on the server.

PonyFinal has the capabilities to encrypt the files of any server and the original file version name are the same but what they do next is change the file extension and save as “.enc”. The only way to decrypt the file was to use the original key of encryption and that was the main target for the attackers to create a manual ransomware success.

This is not the end of the attacker, they just left a note in “readme_files.txt “ on the server to describe the guide and the payment methods to get the original key.

From the team Microsoft, The trojan is downloaded manually by the attackers and they basically choose the larger organization and select the password, gain access to the PowerShell command interface, and theme extract the sensitive information about the infected environment and spread it throughout the entire network.

After getting access to the Microsoft Powershell then they can easily attack and install PonyFinal on the directly attacked or the connected server. Most of the cases the attacker finds the way to target those servers which are running the java runtime platform(JRE).

According to the team, Before running the PonyFinal they installed the Java Runtime Environment(JRE) on the system. 

Microsoft recommends the organization to be alert before things get messy and try to be updated with your system’s new updates.

What did you think of this? Please! Write in the comment section and let us know?

The post PonyFinal- Ransomware Attack Manually to the Organization appeared first on Vednam.