Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   September 8th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Chilean bank BancoEstado shuts down after ransomware attack

Chilean bank BancoEstado, one of the country’s biggest banks, was hit with a ransomware attack that forced its branches to remain closed since September 7. The ransomware encrypted most of the company servers and workstations. The attack took place over the weekend, the closure of the BancoEstado breaches was announced by the bank through its Twitter account. The bank disclosed the attack on Sunday via Twitter and decided to keep branches closed to investigate the incident and recover its systems. Learn more >

Argentinian government hit by Netwalker ransomware

Argentina’s official immigration agency, Dirección Nacional de Migraciones, was hit by a Netwalker ransomware attack that caused the interruption of the border crossing into and out of the country for four hours. The ransomware operators also exfiltrated sensitive data from the agencies as reported by local media. The agency started receiving numerous tech support calls from checkpoints at approximately 7 AM on August 27th. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   September 7th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New strain of Thanos Ransomware unsuccessfully adds Windows MBR

"Overwriting the MBR is a more destructive approach to ransomware than usual," researchers said, "Victims would have to expend more effort to recover their files – even if they paid the ransom; fortunately, in this case, the code responsible for overwriting the MBR caused an exception because the ransom message contained invalid characters, which left the MBR intact and allowed the system to boot correctly." Even though they failed to overwrite the compromised computers' MBRs, the Thanos operators still dropped ransom note they regular way by creating HOW_TO_DECIPHER_FILES.txt text files and asking the victims to pay $20,000 to recover their data. The researchers think that the attackers gained access to the targets' networks before the ransomware payloads were deployed since they were able to find valid credentials within the samples recovered after the attack. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   August 24th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Unskilled iranian hackers deploy Dharma ransomware

Low-skilled hackers likely from Iran have joined the ransomware business targeting companies in Russia, India, China, and Japan. They are going after easy hits, using publicly available tools in their activity. The new group is deploying Dharma ransomware. Based on forensic artifacts, this is a non-sophisticated, financially-motivated gang that is new to cybercrime. Their demand is between 1-5 Bitcoin (currently $11,700 - $59,000), which is on the lower range of ransom demand compared to other ransomware operations. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 18th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Cruise line operator Carnival in danger after ransomware attack

As part of the attack, Carnival states data was likely stolen and could lead to claims from those affected by the potential data breach: "Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies,". The filing does not indicate the ransomware operation that compromised their network, and there are close to twenty different gangs that steal and leak unencrypted files as part of their attacks. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   August 17th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Technology giant Konica Minolta hit by RansomEXX ransomware attack

After some customers stated that their Konica contacts indicated a breach caused the outage, a source shared a copy of the ransom note used in the attack on Konica Minolta to researchers, named '!!KONICA_MINOLTA_README!!.txt. It was also discovered that the devices in the company were encrypted, and files had the '.K0N1M1N0' extension appended to them. This ransom note belongs to a relatively new ransomware called RansomEXX, which is human-operated and entails threat actors compromising a network, and over time, spreading to other devices until they gain administrator credentials. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 13th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Color by numbers: inside a Dharma ransomware-as-a-service attack

The actors using this particular RaaS are equipped with a package of pre-built scripts, internal Windows tools, legitimate third-party “freeware” software, well-known security tools and publicly-available exploits, integrated together through bespoke PowerShell, batch, and AutoIT scripts. This pre-packaged toolkit, combined with back-end technical support, significantly extends the reach of the Dharma RaaS operators, allowing them to profit while their affiliates do the hands-on-keyboard work of breaching networks, dropping ransomware, and managing “customer service” with the victims. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 11th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Data leak site launched by Avaddon ransomware

If publicly released, this data could expose financial information, personal information of employees, and client data, which leads to a data breach. At this time, there is only one entry on their site, where they leak 3.5MB of documents stolen from a construction company. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 6th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Canon 10TB of data breached due to Maze ransomware

Multinational corporation Canon reportedly fell victim to a ransomware attack launched by Maze group against its email and storage services and its United States website on July 30. Maze has threatened to leak the pics and data if a crypto ransom is not paid. The image.canon site was out for six days, during which it showed updates. Canon denied any attack, but later the ransomware gang claimed it had managed to steal almost 10 TB of photos, files and other data. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 4th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

NetWalker evolves to a ransomware-as-a-service model

During the COVID-19 pandemic, the adversaries behind NetWalker clearly stated that hospitals would not be targeted; whether they keep to their word remains to be seen. During 2020 NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service (RaaS) model, and research suggests that the malware operators are targeting and attracting a broader range of technically advanced and enterprising criminal affiliates. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 14th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

AgeLocker Ransomware uses Google’s utility to encrypt files

According to the Age manual, the utility was designed as a replacement for GPG to encrypt "files, backups, and streams." Instead of creating a ransomware that utilizes commonly used encryption algorithms such as AES+RSA, the threat actors behind AgeLocker appear to be using the Age command line tool to encrypt a victim's files. Experts explained that Age uses the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms, which makes it a very secure method to encrypt a file.   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   July 9th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Conti uses up to 32 CPU threads for encryption

Just like most ransomware families today, Conti was designed to be directly controlled by an adversary, rather than execute automatically by itself. These types of ransomware strains are also known as "human-operated ransomware," and they're designed to be deployed during targeted intrusions inside large corporate or government networks. Security researchers first spotted a Conti dev build earlier this year, in February, but some sources now reported that its Threat Analysis Unit (TAU) has spotted Conti infections in the wild. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 8th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Victims of the ThiefQuest ransomware can recover their encrypted files

According to the experts, the EvilQuest ransomware has been distributed in the wild since the beginning of June. Threat actors have started distributing the ransomware in tainted pirated macOS software uploaded on torrent portals and online forums. Once encrypted the file on the infected host, a popup is displayed to the victim, informing it that its files have been encrypted. The victims is directed to open a ransom note dropped on their desktop that includes instructions for the payment of the ransomware. Now a security firm has released a free decryptor software that allows victims of the TiefQuest ransomware to recover their encrypted files. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 7th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

EDP confirms cyberattack, blame on Ragnar Locker

In a letter sent to customers (.PDF), the energy company apologized for the incident but insisted that there is "no evidence" that consumer information was compromised or stolen. " Attackers had gained unauthorized access to at least some information stored on the company's own information systems," the letter reads. "Since then, EDPR NA has worked diligently and on an expedited basis to identify the individuals potentially affected by this incident." Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   July 3rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

ThiefQuest ransomware is a file-stealing Mac wiper in disguise

A new data wiper and info-stealer called ThiefQuest is using ransomware as a decoy to steal files from macOS users. The victims get infected after downloading trojanized installers of popular apps from torrent trackers. While not common, ransomware has been known to target the macOS platform in the past, with KeRanger, FileCoder (aka Findzip), and Patcher being three other examples of malware designed to encrypt Mac systems Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   July 2nd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

How EKANS ransomware targets industrial control systems

The EKANS ransomware family is one strain that has been used in targeted ICS campaigns. Researchers were able to obtain two modern samples, one from May and another compiled in June, which revealed some interesting features. Both Windows-based samples are written in GO, a programming language widely used in the malware development community as it is relatively easy to compile to work on different operating systems. Learn more >

Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set

Thanos is a RaaS (Ransomware as a Service) that provides buyers and affiliates with a customized tool to build unique payloads. This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root. The generated payloads can be configured with numerous features and options. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 1st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Xerox allegedly suffers Maze Ransomware attack

The company declared over $1.8 billion in revenue in Q1 2020 and has 27,000 employees across the globe. It’s currently tracking at 347 of the Fortune 500 list. Maze ransomware operators claim to have stolen more than 100GB of files from Xerox and threaten to publish them is the company will not may the ransom. Learn more >

New Mac ransomware spreading through piracy

Researchers found a malicious Little Snitch installer available for download on a Russian forum dedicated to sharing torrent links. A post offered a torrent download for Little Snitch, followed by several comments that the download included malware. They discovered that not only was it malware, but a new Mac ransomware variant that was spreading via piracy. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   June 25th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the Evil Corp group in 2020. Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017.   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   June 23rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline

Indian conglomerate Indiabulls Group has allegedly been hit with a cyberattack from the CLOP Ransomware operators who have leaked screenshots of stolen data. The CLOP Ransomware operators claimed to have breached Indiabulls and have posted screenshots of files that they have allegedly stolen during the attack. When performing a ransomware attack, the CLOP threat actors are known to steal unencrypted files before deploying the ransomware. Learn more >