Spain Arrests Three for Using Pro-Russian Hacktivist Platform
Spanish authorities have apprehended three individuals involved with DDoSia, a platform used for conducting distributed denial of service (DDoS) attacks. These arrests occurred in Seville, Huelva, and Manacor, where police also seized computer equipment and documents critical to the investigation. Despite these arrests, the hacktivist group continued their DDoS attacks against European Union targets the following Monday. DDoSia, operated by the pro-Russian group NoName057, uses software developed by the group to execute attacks, leveraging volunteers’ bandwidth. This platform has notably targeted government entities in Poland and Switzerland, leading to significant service disruptions. In June 2023, cybersecurity firm Sekoia reported a 2,400% growth in DDoSia’s activities, with over 13,000 users on its Telegram channel. Spanish investigators are now working to identify additional participants involved in these attacks, highlighting the serious and ongoing threat posed by such hacktivist operations.
Play Ransomware Targets VMware ESXi Virtual Machines with New Linux Variant
Play ransomware has developed a new Linux locker specifically designed to encrypt VMware ESXi virtual machines, marking their first known attack on ESXi environments. Detected by cybersecurity firm Trend Micro, this ransomware variant checks for an ESXi environment before executing, demonstrating advanced evasion techniques on Linux systems. This shift aligns with a broader trend where ransomware groups target ESXi VMs due to their widespread use in enterprise data storage and critical application hosting. Disabling and encrypting these VMs can severely disrupt business operations. Play ransomware uses URL-shortening services from a threat actor known as Prolific Puma and adds a .PLAY extension to encrypted files. It also leaves a ransom note in the VM’s root directory, visible in the ESXi client’s login portal. High-profile victims of Play ransomware include Rackspace and the City of Oakland, with the FBI, CISA, and ACSC advising enhanced security measures to mitigate such threats.
KnowBe4 Faces Infostealer Attack After Hiring North Korean Hacker
KnowBe4, an American cybersecurity firm, recently uncovered that a newly hired Principal Software Engineer was actually a North Korean state actor attempting to install information-stealing malware on company devices. Fortunately, the firm’s security measures detected and thwarted the malicious activity before any data breach occurred. This incident underscores the persistent threat from North Korean operatives posing as IT professionals, a danger the FBI has highlighted since 2023. North Korea employs a large cadre of IT workers who hide their true identities to gain employment at American companies, using the revenue to fund national cyber operations and intelligence gathering.
Despite conducting thorough background checks and multiple video interviews, KnowBe4 later discovered the individual had used a stolen identity and AI tools to create a convincing profile. Suspicion arose on July 15, 2024, when KnowBe4’s EDR system flagged malware activity from the new hire’s Mac workstation. The malware targeted web browser data, likely to harvest credentials from prior sessions. Upon confrontation, the actor initially made excuses but soon ceased all communication.
To mitigate such risks, KnowBe4 advises isolating new hires in a sandbox environment, avoiding remote use of external devices, and treating inconsistencies in shipping addresses as potential red flags.
U.S. State Department is offering up to $10 million
The U.S. State Department is offering up to $10 million for information leading to the capture of Rim Jong Hyok, a North Korean military hacker associated with the Andariel hacking group. Hyok and his group have been linked to Maui ransomware attacks on critical infrastructure and healthcare organizations in the U.S. Charged with conspiracy to commit computer hacking and promotion money laundering, Hyok has a federal arrest warrant issued in the District of Kansas.
U.S. investigations have connected these hackers to ransomware incidents affecting two U.S. Air Force bases, five healthcare providers, four defense contractors, and NASA’s Office of Inspector General. The State Department noted that Hyok and his accomplices hacked U.S. hospitals, installed Maui ransomware, and extorted ransoms to fund further cyber operations.
In a notable incident in November 2022, Andariel hackers stole over 30 gigabytes of data, including information on military aircraft and satellites, from a U.S. defense contractor. The Rewards for Justice program, which offers rewards for information on threats to U.S. national security, is handling the tips and has set up a dedicated Tor SecureDrop server for submissions.
Additionally, a joint advisory by CISA, the FBI, and cybersecurity agencies from the UK and South Korea identified Andariel as APT45, Onyx Sleet, and other aliases, linking them to North Korea’s Reconnaissance General Bureau. Andariel focuses on stealing sensitive military and intellectual property information, posing a significant ongoing threat to various industry sectors worldwide. Critical infrastructure organizations are advised to follow the mitigations recommended in the advisory.
Russian Ransomware Gangs Account for 69% of All Ransom Proceeds
Russian-speaking cybercriminals were responsible for 69% of all cryptocurrency proceeds linked to ransomware attacks last year, amassing over $500 million. This data comes from TRM Labs, a blockchain intelligence firm that tracks crypto-assisted financial crimes. While North Korea leads in cryptocurrency theft through breaches, Russian actors dominate other forms of crypto-related cybercrime.
In 2023, major Russian ransomware groups included LockBit, Black Basta, ALPHV/BlackCat, Cl0p, PLAY, and Akira. Despite some disruptions, such as the shutdown of ALPHV/BlackCat and reduced activity from LockBit due to law enforcement efforts, new groups like RansomHub have emerged to fill the void. LockBit and ALPHV alone collected at least $320 million in cryptocurrency ransoms last year, with total Russian ransomware proceeds exceeding $500 million.
Russian cybercriminals not only excel in ransomware but also in running darknet markets, which accounted for 95% of global illicit sales in 2023. The largest Russian dark web markets handled $1.4 billion in transactions, vastly outpacing Western counterparts. Furthermore, Russia is a major hub for money laundering, with Garantex, a Russia-based entity, responsible for 82% of cryptocurrency handled by sanctioned organizations globally.
TRM attributes the high involvement of Russians in cybercrime to historical, regulatory, and normative factors, along with Russia’s political isolation, which complicates tracking and apprehending these criminals. The ongoing war in Ukraine has further intensified the flow of illicit funds, with $85 million recorded as moving from Russia to Chinese firms supplying military equipment to Russian forces.
FBCS Data Breach Now Affects Over 4.2 Million Individuals
Financial Business and Consumer Solutions (FBCS) has updated the scope of its February data breach, revealing that the incident now affects approximately 4.2 million people in the United States. Initially, the company reported that around 1.9 million individuals were impacted. This number was later revised to 3.2 million. In the latest update, FBCS, in collaboration with the Maine Attorney General’s office, disclosed that the breach affects a total of 4,253,394 people. The compromised data includes sensitive information such as Social Security numbers, dates of birth, and driver’s license numbers. Notifications have been issued to those affected, offering free credit monitoring and identity restoration services. Although the precise nature of the attack remains unclear, individuals are advised to remain vigilant against potential phishing attempts and monitor their credit reports for signs of fraud.
Conclusion
The increasing sophistication and frequency of cyber threats, including ransomware attacks, underscore the importance of having a proactive and comprehensive cybersecurity strategy. Recent events highlight the urgent need for robust defenses and effective response plans to mitigate the impact of such attacks.
As specialists in ransomware recovery and cybersecurity, we provide essential services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If you need expert assistance to navigate and recover from a ransomware incident, reach out to us for tailored solutions.