TronWeekly

Crypto World News

You are here: Home / Archives for ransomware

ransomware

$7.5M Monero Ransomware Attack Strikes Telecom Argentina S.A

by

Cybercriminals have struck Telecom Argentina S.A with a major ransomware attack and attackers demand $7.5 million in privacy-oriented crypto, Monero. According to a Spanish language website elperiodista.com that cites unknown workers, the attack that started on July 15 paralyzed the I.T system of the company.

The employees also notified the website that the company had requested that its employees do not open a file or e-mail address. In addition, the July 18 tweet from @krugermacro suggests that cyber attackers are threatening more damage if their demands are not met. According to reports, the attackers want their demands to be met by July 21, regardless of which ransomware demands will double while the firm’s system remains incapacitated.

Ransomware attacks and crypto scams on the rise

The Telecom Argentina S.A ransomware attack follows last week’s high-profile Twitter hack connected to a bitcoin giveaway scam. Nevertheless, Elliptic, a blockchain analytics firm, says a portion of the Bitcoin linked to the massive Twitter hack was mixed with a Coinjoin mixing software called Wasabi.

On the contrary, Monero is privacy-oriented crypto that has been written off in some crypto exchanges for the same reason. Regardless, some industry experts have questioned the attackers’ decision to demand such a tremendous amount of money in Monero. The founder and CEO of  Mana Security, Tim Ismilyaev, suggested that Monero has inferior liquidity on crypto exchanges; hence it is unsuitable for demanding such a huge amount.

Another reason behind the hefty Monero demands?

Additionally, Ismilyaev noted that liquidity is the sole reason why most ransomware attackers demand payment in bitcoin. He also states that “it’s especially strange to ask for $7.5M in monero – it’s about 13% of daily trading volumes; and would significantly impact the price.”

According to the Mana Security CEO, there could be another purpose behind the ransomware attack. “I think attackers don’t expect Telecom Argentina to pay such a big check, but they probably already have Monero and want to sell it for a better price after the price pump,” Ismilyvaev suggested.

Ransomware Attackers Targeting Nicki Minaj, Le Bron, and Mariah Carey

by

Notorious ransomware attackers, the REvil Group, have made another move; this time around, the group is threatening to leak sensitive personal information about the basketball player Le Bron James and the global artists Nicki Minaj and Mariah Carey.

The ransomware attackers noted that the auction of the information would commence on July 1, 2020. Notably, the REvil ransomware scheme threatened to auction sensitive information about musician Madonna last month. Files containing personal details about the two artists and the NBA star will be auctioned beginning at $600,000 according to a Variety report.

Ransomware attackers personal data auction

REvil claimed that it would sell information belonging to Bad Boy Records, MTV, and Universal. The auction for Bad Boy Records will begin at $750,000, while the auction for MTV and Universal will begin at $1 million. In addition, all payments will be transferred using Monero altcoin, which focuses on privacy.

As per the Variety report, the ransomware attackers claimed through a press release that it has files containing “contracts, agreements, NDA, confidential information, court conflicts [and] internal correspondence with the firm.” Moreover, the post stated:

“Show business is not concerts and love of fans only—also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs, and treachery.” 

REvil also targeted the famous showbiz lawyer Allen Grubman and his law firm, Grubman Shire Meiselas & Sacks, on 14 May. The ransomware attackers called for a $42 million ransom; it leaks sensitive information about the U.S. President Donald J. Trump, pop musician Lady Gaga, Barbra Streisand. On May 18, the group also said that Madonna’s dirty secrets would leak.

REvil has been ‘successful’ in leaking sensitive info before

REvil Group would previously demand ransom in bitcoin but later opted for Monero, which is difficult to trace the digital footprints. According to Darkowl.com, the ransomware attackers have been successful in what it does. On May 14, the REvil leaked more than 3,000 personal files, containing expense reports and confidentiality agreements, belonging to singer Lady Gaga.

Corporate Credit Card Info, Personal Data Leaked in Cognizant Ransomware Attack

by

Cognizant cyber solutions firm has notified both employees and the California state regulators that the majority of private information that was compromised during the April Cognizant ransomware attack involved corporate credit cards. The credit cards were issued to the firm’s employees.

Back in April Maze attackers orchestrated the Cognizant ransomware attack. The firm has now notified its employees that their private information, such as company corporate credit card names and account numbers, has been leaked.

“A limited amount of personal data (of associates) was compromised before the attack was contained on May 1. Vast majority of the information consisted of names and account numbers (and no other personal information) from some American Express cards,” Cognizant wrote in a corporate letter to the employees.

The technology solutions firm is expected to be impacted by $50-$70 million in generated revenues during this quarter. Furthermore, the Cognizant ransomware attack has been reported to the Federal Bureau of Investigations (FBI) for investigations.

As of now, there are no details on whether the attack only affected employees in the United States or employees from other geographical locations. However, the firm has informed the affected employees that they will receive access to credit card monitoring, dark web monitoring, and free restoration of services.

Moreover, the firm also noted that some employees’ data beyond the corporate credit card info had been leaked.

“The small number of associates who have had other kinds of personal information exposed will be notified directly by June 24, 2020, and will also receive complimentary identify theft protection,” the firm allegedly stated.

Details of the leaked personal information include tax identifications, social security details, passport information, driver’s license details, and many more. Cognizant has allegedly filed two statements with California authorities regarding the Maze ransomware attack. The initial letter is directed to employees regarding the attack, while the second one is directed to the affected persons.

Beware of Fake Decryption Tool Exploiting Desperate Ransomware  Victims

by

Cyber criminals can be really annoying. This time round hackers have created malware in the shape of a decryption software that helps ransomware attack victims by encryption. The fake decryption tool will actually double encrypt your compromised files, not knowing you ‘re jumping from the frying pan to the actual fire.

A recent report by information security and technology news publication, Bleeping Computers, fake ransomware decryption software by STOP Djvu Ransomware, double-encrypts files that create a much bigger victim problem. According to the report, it lures already desperate victims with the guarantee of a free malware decryption tool, infecting them with another ransomware instead.

The malware dubbed “Zorab” was uncovered by the creator of ID Ransomware, Michael Gillespie. There are existing decryption tools that don’t charge huge amounts of money to decrypt files, exactly what the fake decryption tool is trying to do. The malware promises to decrypt files at no cost, but it eventually encrypts them multiple times.

 

Ransomware operatives such as REvil, Netwalker, DoppelPaymer and Maze are popular due to their high profile victims and attracting huge ransoms. Now there is another ransomware, STOP Djvu, which is already infecting more victims than the aforementioned popular operatives combined together on a daily basis.

How the fake decryption tool works

When a victim downloads the fake decryption tool and starts scanning his computer system by clicking the ‘start scan’ button, the ransomware draws out an executable file dubbed crab.exe; this is the zorab malware itself. Once this file is deployed, the fake decryption software double encrypts the entire files in the system with a .ZRB extension.

Fake Decryption Tool

Additionally, the ransomware creates ransom notes in every encrypted folder labeled ‘–DECRYPT–ZORAB.txt.ZRB.’ Inside the notes, there are details on how to reach the ransomware attackers to pay the ransom. The creation of a fake decryption tool was a clever idea to easily and quickly spread malware. Indeed, the Bleep Computer’s report described STOP Djvu Ransomware as “the most actively distributed ransomware over the past year.

Cryptocurrency Ransom Escalated by 200% in 2019

by

According to a report published by digital forensics firm, Crypsis Group, the already operational surging trend in demand of ransoms by criminals is growing. As per the data, cryptocurrency ransom Escalated sharply by 200 percent from 2018 to 2019.

The 2020 Incident Response and Data Breach Report published by Crypsis Group indicates that it’s not astonishing that cyber criminals have demanded outrageous cryptocurrency ransoms over the last three years. According to the firm, the average amount demanded by cyber criminals was $115,123.

Cryptocurrency ransom demands on the rise

Moreover, the digital forensics firm noted that cyber criminals are changing their strategies to focus on enterprises in their ransomware attacks. As per the report, the attackers cautiously select their victims, so as to target those with the capability to pay huge amounts. Tactics used by criminals are gradually advancing over time.

Indeed, these new strategies have also manifestly adjusted pretty well, to conquer defense strategies put in place by the unfortunate victims. Additionally, the report highlighted that last year saw the rise of ransomware alterations like Phobos, Sodinokibi (or “REvil”) and Ryuk claiming that their strategies are “highly effective.”

Ryuk ransomware was the most widespread variant back in 2019 according to the digital forensics company. The report notes that cyber criminals depend on a banking trojan called TrickBot, to deploy their scam and criminal activities to the victims. 

Common ransomware attacks

Back in Q4 2019, the most common type of ransomware was Sodinokibi on incidents count. In fact, Sodinokibi is a ransomware-as-a-Service but only facilitates a fixed amount of ransomware affiliates to spread the ransomware.

Furthermore, Ryuk was also prevalent in terrorizing large enterprises during Q4 of 2019. Additionally, it was the second most popular after Sodinokibi. The median amount of ransomware demand by Ryuk skyrocketed sharply which was responsible for the majority of the hike in the average ransom payment doubling in Q4 2019.