News Security

No Abatement in Ransomware Attacks

Before the victims report the incidents, the actors – be it Maze Group or REvil Group, etc. taking responsibility with impunity

There has been no abatement in Ransomware Attacks. Despite best of the fortifications the fortresses are falling prey to the perpetrators. The CIOs and CISOs are left gasping and gnawing – ‘What’s Heck….?’ Now the situation is different. Before the companies come to the public about being attacked, the actors are creating a SWAGG by putting out their valour in a blogpost or in some other notification forms creating ripples in the market. It is almost like terrorist attacks and taking responsibility of the attack. It is very unclear about the whereabouts of groups; and their inception and parentage; though ethical cyber sleuths are after the actors.

In recent times whatever happened to starting from Cognizant to Pitney Bowes to, the groups came out in the public forum and staked the claim on the act and ransom.      

First it started with Cognizant, when the company was hit by Maze, which as per the CFO of the company it could be a loss of $50 million to $70 million for the quarter.

Yesterday it was ATM Giant Diebold Nixdorf. It is the largest ATM provider in the world. The company authorities admitted that the attack was on their network and their ATM machines are safe.

However as per Diebold, the attack started on the evening of Saturday, April 25, to which the company’s security team reacted by disconnecting systems on that network to contain the spread of the malware. Which the attack was happening, the company discovered anomalous behaviour on its corporate network and suspecting a ransomware attack, the company started reacting immediately. It is a good case of cognizance and monitoring, which prevented their ATM from being attacks.

Package and mail delivery company Pitney Bowes has suffered yet another jolt due to ransomware attack within seven months. Before the company admits the perpetrator group- Maze published a blog post claiming to have breached and encrypted the company’s network. They provided proof of access in the form of 11 screenshots portraying directory listings from inside the company’s computer network. To which the company also admitted having happened.

Remember, in October 2019, Pitney Bowes had the first ransomware attack, when the company’s critical systems were infected and encrypted by the Ryuk ransomware gang.

Today’s big ransomware story is a star-studded affair, according to entertainment news website Variety says that the law firm Grubman Shire Meiselas & Sacks, or just for short, has experienced a ransomware attack that apparently involved the appropriately named REvil malware. Rather than simply knocking the law firm out of action temporarily, the ransomware crooks are said to have stolen personal data from a laundry list of celebrity clients, too – allegedly more than 750GB in total including contracts, contact information and “personal correspondence”.

The website is as good as offline right now [2020-05-11T14:15Z], with just a logo on display and the main menu of the website commented out entirely (the green text below denotes HTML comments):

HTML extracted from main web page at 2020-05-11T14:15Z. Green text denotes HTML code that has been commented out

Variety’s headline drops the names Lady Gaga, Madonna, Bruce Springsteen as customers who were affected, but the article itself lists many more:

Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” and Run DMC. Facebook also is on the hackers’ hit list.

REVil, also known as Sodin or Sodinokibi, isn’t just operating on the old-school ransomware model of “scramble your files and offer to sell you back the decryption key”. The latest trend in ransomware attacks is to use a double-barrelled weapon that gives victims two reasons to pay up. The original criminal plot behind ransomware was that if you didn’t have reliable backups that you could restore quickly, then you might have little choice but to pay up to decrypt all your scrambled files and get your business moving again. Indeed, by breaking into your network first and taking time to prepare an attack that scrambles most or all of your computers at the same time, cybercriminals aim to cause the most significant disruption that they can. That has led to some eye-watering ransom amounts, with demands over $1,000,000 very common these days.

In recent months, however, the crooks have doubled down on their leverage. Before scrambling all your files as a way of grabbing your attention, the crooks quietly upload huge troves of so-called “trophy data” that they use to blackmail anyone who is hesitant to pay up. In other words, the financial extortion is no longer just a “kidnap ransom” to get your files back, but also a blackmail demand to stop the crooks leaking your data – or, worse still, your customers’ data – to the world. The modus operandi seems to be to leak what you might call a proof-of-concept sample first, as a way of convincing the victim that the data really did get exfiltrated… and then let more and more go as part of the “bargaining” process to persuade the victim into negotiating.

Indeed, the REvil crew has already followed through on its threats to embarrass victims who don’t pay.

Maze goes in for huge ransoms and threatens to expose stolen data, infamously demanding about $6,000,000 last year from cable and wire manufacturer Southwire. Southwire hit back by filing a so-called John Doe (the name used in the USA where defendants haven’t yet been identified) civil lawsuit against the as-yet- uknown unknown criminals behind Maze.

Related posts

IFS Acquires EmpowerMX


Phaneesh Gururaj is Head of Engineering for Ema, India


Zeronsec Partners with Web Werks Data Centers