Site icon IT World Canada

This week in ransomware – Friday, April 1, 2022: something old, something new

Cybersecurity attacks are growing in frequency and severity: Telus study

A recent study from telecommunications company Telus has reported that cyberattacks are on the rise in Canada, with 98 per cent of Canadian organizations reporting a cyberattack in the last 12 months. According to the report “attacks are frequent, with 25 per cent of organizations experiencing at least one attack per day and most organizations experiencing more than 11-30 attacks per month.”

Sourced from the study which can be downloaded from www.telus.com/RansomwareStudy. (Registration required)

“Back from vacation” – hackers attack

Lapsus$, a data extortion ransomware group, claims to have hacked IT giant Globant SA and stolen 70 gigabytes of source code from the company’s customers.

The gang posted a screenshot of more than two dozen folders on their Telegram channel that allegedly contained the customer’s source code. Globiant confirmed that some of their code had been accessed by unauthorized parties.

If British authorities are correct, the Lapsus$ gang is very young. They arrested seven people aged between 16 and 21 allegedly linked to the Lapsus$ gang. The gang told their fans that a few of their members were on vacation.

Despite their relative youth, the group performs sophisticated attacks, using bribes, trickery, and social engineering to steal passwords.

They are seen as a new but powerful threat by cybersecurity experts. They have recently compromised top tech organizations such as Microsoft, Nvidia, Okta, and others.

Sourced from articles on ITWorldCanada and ArsTechnica

Log4j – The threat continues…

Log4j, a utility program used in thousands of corporate systems, created a sensation when it was revealed that it had flaws that could allow hackers to load malware on a wide variety of systems.

A group from China called DEV-0401 was reported to have leveraged the flaws to deploy Nightsky ransomware on systems running VMWare Horizon. In the past, this group has been identified as having deployed deployed multiple ransomware families, including LockFile, AtomSilo, and Rook. This activity was first reported in December of 2021.

According to data security firm Sophos, the group has resurfaced and continues to attack VMWare Horizon implementations on Apache servers with an exploit that allows it to take control of a device using text messages. Apache has issues at least 4 patches and VMWare issued patches for Horizon on March 8th. The group continues its attack, leveraging systems that are not yet patched and systems that were compromised before the patches were applied and where backdoors were left for future attacks.

Sourced from an article in ITWorldCanada

Triple threat returns

SunCrypt was notorious in mid 2020 as one of the pioneers of triple extortion for non-paying victims. Triple threat refers to a combination of threats: the first is encrypting data, second is stealing data and threatening to release it to the public and the third threat is blackmailing clients of the victim organization.

Suncrypt has reportedly developed a better version of their strain which offers new capabilities. They have retained their use of I/O completion ports for faster encryption through process threading and also continue to encrypt both local volumes and network shares.  New features include process termination, stopping services, and wiping the machine clean for ransomware execution. The new version deletes the logs and removes all traces of the ransomware itself.

Many of the new features are already present in other ransomware strains, which has led security firm Minerva Labs to speculate that this is still an early version.

Sourced from an article on Bleeping Computer

Exit mobile version