Evolution Mining Faces Ransomware Attack but Operations Remain Stable
On August 8, 2024, Evolution Mining, one of Australia’s leading gold producers, experienced a ransomware attack that disrupted its IT systems. However, the company swiftly responded by engaging external cybersecurity experts, and the situation is now reportedly under control. Evolution Mining, which also operates in Canada, plays a significant role in the mining industry, producing over 650,000 ounces of gold and 1.8 million tonnes of copper in 2023 alone. Despite the IT disruption, the company has reassured stakeholders that mining operations remain unaffected and there will be no material impact on production. This suggests that the ransomware attack either did not target critical production systems or was quickly mitigated. The Australian Cyber Security Centre has been notified of the incident, although no major ransomware gangs have claimed responsibility, and the possibility of data theft remains unclear.
Ukrainian Government Agencies Targeted by Malware in Phishing Attack
Hackers impersonating Ukraine’s Security Service (SSU) have compromised over 100 government computers using malicious emails. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the attackers distributed AnonVNC malware through spam emails, which began circulating in mid-July 2024. These emails, falsely claiming to request documents for an SSU inspection, linked to a malicious Documents.zip file that deployed the malware. The malware, signed with a certificate from a Chinese company, allowed the attackers to covertly access the infected systems. CERT-UA has identified that the attacks targeted central and local government bodies, and the broader implications of the breach are still being assessed. The incident is part of a broader pattern of cyberattacks against Ukraine, often linked to Russian-affiliated groups, highlighting the ongoing cyber threat faced by the nation.
North Korean Hackers Steal Sensitive South Korean Military Data
South Korea’s ruling People Power Party (PPP) has raised alarms over a significant breach, revealing that North Korean hackers have stolen critical technical information on the K2 “Black Panther” tanks and the Baekdu and Geumgang spy planes. The stolen data, which includes design blueprints and operational details, poses a severe threat to South Korea’s military security. The PPP warns that this information could enable North Korea to evade surveillance and gain a strategic edge. The breach reportedly occurred when engineers from a South Korean defense contractor moved to a competing firm, taking sensitive data with them. Additionally, a South Korean defense contractor responsible for maintaining the spy planes was hacked, leading to further data theft. In response, the PPP is urgently calling for enhanced cybersecurity measures and legislative action to protect against escalating cyber-espionage threats from North Korea.
FBI Takes Down Dispossessor Ransomware Operation, Seizes Key Servers
The FBI, in collaboration with international law enforcement agencies, has successfully dismantled the Dispossessor ransomware operation, seizing critical servers and websites. This takedown involved partners such as the U.K.’s National Crime Agency and German authorities. Dispossessor, led by a threat actor known as “Brain,” has targeted small to mid-sized businesses globally since August 2023, leveraging vulnerabilities and weak security practices to steal data and deploy ransomware. The group initially reposted data from other ransomware operations like LockBit, Cl0p, and 8base before escalating to using the leaked LockBit 3.0 encryptor in their attacks.
This operation is part of a broader law enforcement effort against cybercrime. Recent actions have also targeted other notorious ransomware groups, including ALPHV/BlackCat ransomware, which has used variants like LockerGoga, MegaCortex, HIVE, and Dharma, as well as the Ragnar Locker and Hive ransomware operations. These hack-back tactics are crucial in disrupting the activities of these cybercriminal groups.
Creator of Ransom Cartel and Reveton Ransomware Arrested, Extradited to U.S.
Maksim Silnikau, a Belarusian-Ukrainian national, has been arrested in Spain and extradited to the United States to face charges related to the creation of the Ransom Cartel ransomware operation in 2021 and the notorious Reveton ransomware. Silnikau, who operated under aliases such as “J.P. Morgan” and “lansky,” is accused of orchestrating ransomware attacks and a large-scale malvertising scheme from 2013 to 2022.
Ransom Cartel, launched in December 2021, is noted for its significant code similarities with the infamous REvil ransomware, leading analysts to believe it was developed by a core member of the REvil ransomware group. Silnikau managed this “ransomware-as-a-service” operation, recruiting cybercriminals and handling negotiations with victims. Additionally, he was behind the Reveton ransomware, a trojan that locked users out of their computers under the guise of law enforcement demands. Reveton, active from 2011, generated an estimated $400,000 and inspired similar malware like Urausy and Harasom.
Silnikau faces charges across two U.S. districts and could face over 100 years in prison if convicted on all counts, including wire fraud and computer fraud.
3AM Ransomware Breach Exposes Data of 464,000 Kootenai Health Patients
Kootenai Health, a major healthcare provider in Idaho, has reported a significant data breach affecting over 464,000 patients. The breach was perpetrated by the 3AM ransomware gang, which gained unauthorized access to Kootenai’s systems on February 22, 2024. The attackers spent ten days inside the network, stealing sensitive data before their presence was detected on March 2. The stolen information includes patients’ full names, dates of birth, Social Security numbers, driver’s licenses, medical records, diagnoses, and health insurance details.
The 3AM ransomware operation, known for its Rust-based strain, first surfaced in September 2023 and has since been used as a backup by cybercriminals when other ransomware variants, like Conti ransomware and Royal ransomware, failed. Following the attack, the stolen data was leaked on 3AM’s darknet portal as a 22GB archive, available for free download by other cybercriminals. Kootenai Health has notified affected individuals and is offering identity protection services.
AutoCanada Hit by Cyberattack, Impacting Internal IT Systems
AutoCanada, a prominent automobile dealership group, has disclosed a cyberattack that targeted its internal IT systems, potentially leading to operational disruptions. The company acted swiftly, enlisting external cybersecurity experts to contain the breach and begin remediation. However, the extent of the attack, including whether customer, supplier, or employee data was compromised, remains under investigation.
While no major ransomware groups have yet claimed responsibility, it is noteworthy that AutoCanada was previously affected by the BlackSuit ransomware attack that caused a massive IT outage at CDK Global, one of its service providers. This outage disrupted AutoCanada’s operations, contributing to significant financial losses in the second quarter of 2024. The company reported a $33.1 million loss for Q2 2024, a sharp decline from the $45.2 million profit recorded in the same quarter the previous year. The ongoing cyberattack adds further uncertainty as AutoCanada works to restore its systems fully.
RansomHub Ransomware Gang Deploys New Malware to Disable Security Software
The RansomHub ransomware group has begun using a new malware, dubbed EDRKillShifter, to disable Endpoint Detection and Response (EDR) security software in targeted attacks. This malware is part of a Bring Your Own Vulnerable Driver (BYOVD) strategy, where the attackers deploy a legitimate but vulnerable driver on the victim’s system to escalate privileges and neutralize security defenses.
Discovered by Sophos researchers during a May 2024 ransomware investigation, EDRKillShifter attempts to disable security solutions by exploiting vulnerable drivers like RentDrv2 and ThreatFireMonitor. These drivers, previously known to be flawed, are used by the malware to take control of the system and disable active EDR processes. Although the tool failed during this particular incident, it represents a growing trend among ransomware gangs, including those behind Medusa Locker and LockBit ransomware, who have used similar EDR-killing malware like AuKill.
Sophos recommends enabling tamper protection in security products, maintaining strict separation between user and admin privileges, and ensuring systems are kept up-to-date to mitigate such attacks.
National Public Data Confirms Breach Exposing Millions of Social Security Numbers
National Public Data (NPD), a prominent background check service, has confirmed a significant data breach, exposing millions of Social Security numbers and other sensitive personal information. The compromised data includes names, email addresses, phone numbers, Social Security numbers, and postal addresses.
The breach appears to be linked to a hacking attempt from late December 2023. NPD acknowledged leaks in April and the summer of 2024, which they believe are connected to this earlier incident. The company has since cooperated with law enforcement and continues to monitor the situation.
Troy Hunt, the founder of the Have I Been Pwned (HIBP) service, analyzed a leaked version of the NPD database and identified 134 million unique email addresses. However, Hunt also noted inaccuracies, such as outdated information and errors in personal data, including multiple birthdates linked to a single email address. The breach has prompted at least one class action lawsuit against Jerico Pictures, the operator of NPD.
Affected individuals are advised to monitor their financial accounts for signs of fraud and be cautious of phishing attempts that could exploit the leaked contact information.
Conclusion
In conclusion, the increasing sophistication and frequency of cyberattacks underscore the urgent need for robust cybersecurity measures and preparedness. Whether it’s defending against ransomware that can cripple entire operations, or mitigating the risks associated with data breaches, the importance of proactive cyber defenses cannot be overstated.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.