Ransomware Archives - Page 3 of 7

BlackByte Ransomware Targets Windows Driver Vulnerability

BlackByte, MSI Afterburner utility, Ophtek, Ransomware, RTCore64.sys, update driversBlackByte, MSI Afterburner utility, Ophtek, ransomware, RTCore64.sys, update driversOphtek, LLC

Oct 2022

A vulnerable Windows driver has been revealed to be the ‘hole in the fence’ that the BlackByte ransomware needs to breach your IT infrastructure.

The attack is interesting in that it uses a relatively new attack strategy known as Bring Your Own Vulnerable Driver (BYOVD). It’s an attack method which targets vulnerabilities in drivers to take control of the victim’s PC. And, to maximize the impact of the breach, the ransomware goes on to disable more than 1,000 drivers associated with security software.

The ransomware involved in this recent attack is believed to have been brewed by the BlackByte threat actors, a hacking group whose origins can be traced to the infamous Conti hacking team. Clearly, the BlackByte team know what they are doing and it’s vital that you are aware of their strategies.

What is BlackByte?

The vulnerable driver in the sights of BlackByte’s target is RTCore64.sys, a driver associated with the MSI Afterburner utility found in countless graphics cards. To be specific, RTCore64.sys is a kernel driver, and this means that it’s involved in the transfer of data between a piece of hardware and a PC’s operating system. The problem with RTCore64.sys is that it’s associated with the CVE-2019-16098 vulnerability.

Once BlackByte has exploited the CVE-2019-16098 vulnerability, the threat actors can access the arbitrary memory of that PC. Access to this area gives BlackByte the opportunity to assume administration privileges, execute commands and transmit data. The ransomware also prides itself on its ‘anti-analysis’ strength, a fact most evidenced by its ability to disable numerous security products and remain undetected.

The Importance of Updating Drivers

The vulnerability at the heart of BlackByte’s attack, CVE-2019-16098, is far from new and, therefore, is a very different attack to that of a zero-day vulnerability. In fact, the CVE-2019-16098 vulnerability has been known of since 2019. This underlines the fact that hackers will focus on known vulnerabilities – after all, it’s much easier to attack an existing vulnerability than to spend time trying to find new ones. As a result, it’s crucial that you update any drivers when prompted to or, more simply, you activate automatic updates.

Not all driver vulnerabilities, however, have updates available due to a variety of reasons such as support being discontinued for a product. Thankfully, it’s still possible to minimize the risk of these vulnerable drivers. As long as your organization keeps a log of all the authorized drivers used within your IT infrastructure, you can regularly check the security status of these drivers. If one is found to be vulnerable with no patch available, you can simply apply block rules to these drivers.

Final Thoughts

The threat presented by BlackByte’s ransomware has the potential to create chaos across your IT network and needs to be taken seriously. And it’s not the only risk which utilizes these methods as, for example, the Avos Locker ransomware uses similar strategies. Accordingly, the importance of applying updates and monitoring vulnerable drivers has never been stronger.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Cuba Ransomware Collects Over $40 Million in Ransom Fees

Backup, Cuba ransomware, Ophtek, Phishing, Ransomware, Updatesbackup, cuba ransomware, Ophtek, phishing, ransomware, updatesOphtek, LLC

Aug 2022

Using a new remote access trojan, threat actors behind the Cuba ransomware have amassed ransom payments estimated to be close to $44 million.

Over the past five years, countless headlines have been generated by the damage caused by ransomware attacks. Not only do they compromise access to your organization’s data, but they also have the potential to inflict painful financial damage. To make matters worse, these attacks are evolving to become more powerful and harder to prevent. In fact, on many occasions (and as we’ll see with the Cuba ransomware) these evolutions will take place over a matter of months.

Ransomware, therefore, is a very real threat to your organization’s IT network, so it’s important that you understand exactly how the Cuba ransomware operates.

What is the Cuba Ransomware?

Cuba was first detected in late 2019 before disappearing from the frontline and returning two years later in November 2021. Evidence of the Cuba ransomware has been detected in around 60 ransomware attacks, with 40 of these victims revealed to be US-based. Cuba is delivered to PCs through the Hancitor loader, a type of malware which is used to download and execute additional malware e.g. remote access trojans. Hancitor makes its way onto PCs through a variety of means such as phishing emails, stolen login credentials and software vulnerabilities.

Since Cuba first emerged onto the digital landscape, it has undergone a series of significant changes. The most notable changes have seen it terminating more processes before it locks files, widening the range of file types it encrypts and, believe it or not, enhancing its support options for victims wanting to pay. Cuba has also been observed operating a backdoor trojan called ROMCOM RAT, a piece of malware which deletes files and logs data to a remote server.

Protecting Yourself Against the Cuba Ransomware

With Cuba collecting ransom payments of over $40 million, it’s clear to see Cuba is a dangerously effective threat. It’s also important to point out there is currently no known decryption tool available to combat Cuba’s encryption methods. Accordingly, you need to be on your guard against this threat and any similar attacks. Therefore, make sure you practice the following:

Beware of phishing emails: one of the most common attack methods employed by hackers, phishing emails use social engineering techniques to pressure you into clicking links and downloading files. However, following the instructions within a phishing email are a guaranteed one-way ticket to having your PC compromised. Always check, double check, and then ask an IT professional to evaluate any suspicious links or documents you receive.

Have a strong backup game: if your files become encrypted by Cuba then the only option you have for unlocking your files is to pay a ransom fee or restore the files from a secure backup. When it comes to backups, there are a variety of options available and it pays to implement multiple backup strategies to preserve your data.

Install updates: Cuba has the power to exploit software vulnerabilities to gain unauthorized access to computer networks, so it’s crucial that you always install updates as soon as possible. The install process for updates can feel time consuming, but when you have the option to automate these installations, there’s no reason this shouldn’t take place.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Hello XD Ransomware is no Laughing Matter

Data Backup, Hello XD, Ophtek, Phishing, Ransomware, Russian Hackerbackup data, Hello XD, Ophtek, phishing, ransomware, Russian HackerOphtek, LLC

Jun 2022

The Hello XD ransomware was first spotted in the digital wild back in November 2021, but recent research indicates that it’s becoming more virulent.

There’s no such as ‘good’ ransomware, but it’s not unreasonable to describe Hello XD as ‘disastrous’ due to its enhanced capabilities. Whereas, previously, Hello XD focused its efforts on the standard ransomware practice of encrypting files, its evolved form now includes a backdoor feature. This enhanced functionality allows the transfer of data from infected PCs to external sources. Combined with its ransomware feature, this new form of Hello XD represents a huge security risk.

Ransomware is a highly problematic attack, and it’s one which your organization needs to avoid at all costs. Hello XD is the latest in a long line of ransomware attacks and, as ever, it could save you a fortune by understanding how it operates.

Hello XD Steps Up Its Game

Spread through various phishing techniques, Hello XD operates in the following manner once it arrives on a PC:

Hello XD’s first step is to disable shadow copy capabilities, this means that system snapshots cannot be saved or accessed. System recovery, therefore, can’t be used to counter the impact of Hello XD.

The infected system’s hard drive is then encrypted by Hello XD, all files are encrypted with a .hello extension and rendered inaccessible.

A ransom note is issued to the victim through a text file which instructs them to communicate with the threat actors through the TOX chat system. Featuring strong end-to-end encryption, TOX provides a cloak of secrecy for the hackers while they communicate with their victims.

Hello XD’s final move is to use its backdoor functionality – a program named Microbackdor – to steal files, wipe any evidence of the PC being compromised and execute remote commands.

Clearly, Hello XD packs a powerful punch and has the capability to bring your organizations IT operations to a halt. It is believed that Hello XD has been designed by X4K, a Russian-speaking hacker who has been advertising his wares on various hacking forums. It’s also likely that X4K will enhance Hello XD’s capabilities even further for future attacks, so it’s crucial you remain alert.

How Do You Say Goodbye to Hello XD?

The best way to avoid falling victim to Hello XD is by practicing the following:

Understand phishing techniques: Hello XD, and many other forms of ransomware, use phishing strategies such as mass emails to snare their victims. Emails, for example, which instill a sense of urgency over financial matters can be used to encourage users to open malicious attachments. However, if your employees understand the tell-tale signs of social engineering, they will be better placed to avoid falling victim to phishing attacks.

Keep backups offline: it’s essential that you keep backups of your data and system snapshots offline to retain control over your data. While this will not stop a ransomware attack, it does provide your organization with a solution if they are attacked. A threat actor will be unable to encrypt offline files, and this ensures that you can restore your data without paying a ransom.

For more ways to secure and optimize your business technology, contact your local IT professionals.

British Snacks in Short Supply Due to Ransomware Attack

anti malware, Backup Strategies, Employee Training, Ophtek, PC Security, PC Training, Ransomwareanti-malware, backup, Ophtek, PC Security, rensomware, TrainingOphtek, LLC

Feb 2022

British shoppers have been warned to expect some of their favorite snacks to be in short supply following a ransomware attack on a major manufacturer.

KP Snacks has been producing snacks in Britain since the 1850s, but this production has recently run into a major obstacle: ransomware. Cyber criminals have successfully launched a ransomware attack on KP Snacks, and its effects are running deep. Due to the impact of the ransomware on their IT infrastructures, KP Snacks has had to advise stores that delays in production are expected. As a result, British shoppers are likely to be facing empty shelves when they head out to pick up their favorite snacks.

Snack food may not be crucial to society, but the impacts of this hack demonstrate why organizations need to remain vigilant.

The Story Behind the Snack Attack

Following an unexplained outage of their IT systems, KP Snacks investigated and discovered that they had fallen victim to a strain of ransomware. The exact details of the ransomware in question has not, as of yet, been disclosed. However, rumors are circulating that the attack was launched by the WizardSpider group, a gang of hackers who attacked the Irish health service in 2021. It’s alleged, according to leaked sources, that KP Snacks was given five days to pay a ransom fee, but clarification on this is lacking.

The response of KP Snacks has been to launch a defensive strike against the attack. Being a major organization, the snack makers had a cybersecurity response plan which was quickly put into action. Third-party security experts have also been drafted in to complete a forensic analysis of the firm’s IT infrastructure. Nonetheless, the disruption to productivity has hit KP Snacks hard. As well as their IT systems being compromised, their communications systems have been hit equally hard. In modern business, these two elements are essential for operating and, as a result, supply shortages are expected.

Protecting Yourself Against Ransomware

While a shortage of snacks may sound like a mild inconvenience, this is only the tip of the iceberg. Not only is there a financial risk for KP Snacks, but the company’s employees can also expect financial ramifications e.g. delayed payments due to compromised IT systems and even the threat of redundancy. Naturally, this is a situation that no organization wants to find itself in, so make sure you always follow this advice:

Always Backup: the main impact of ransomware is that it encrypts files before demanding a ransom fee to decrypt them. However, you can minimize the impact of this effect by ensuring you have a strong backup strategy in place. This will provide you with access to your data and provide you with business continuity.

User Training: ransomware can be activated in a number of different ways such as infected emails, malicious links and running outdated software. Thankfully, shutting these attack routes down is relatively easy with the correct training. Therefore, regular staff training is vital when it comes to securing your IT defenses.

Install Anti-Malware Tools: it’s almost impossible to detect every single threat in the digital wild, but anti-malware tools will protect you from most of them. Installing anti-malware tools is simple and instantly provides an enhanced level of protection against ransomware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

What are Initial Access Brokers?

Cyber Security, Hackers, IAB, Initial access brokers, Ophtek, RansomwareCyber Security, hackers, IAB, Initial access broker, Ophtek, ransomwareOphtek, LLC

Aug 2021

Gaining access to an unauthorized network is every hacker’s dream. And, now, this is easier than ever thanks to the rise of initial access brokers.

Initial access brokers (IABs) are a relatively new trend in the world of hacking. These threats have been tracked for several years now, but they have yet to create major headlines. Nonetheless, they represent a major threat to your organization’s security. And the number of IABs operating online is rising. Therefore, it’s important that you understand what IABs are and the threat they represent. So, to help keep your organization safe, we’re going to look at IABs.

What is an IAB?

We’ve discussed ransomware in depth on numerous occasions, but we’re yet to touch upon the role of IABs when it comes to ransomware. The hard work, for a hacker, is breaking into a network. Most networks will have some level of security, so significant time needs to be invested to beat this. But what if there was someone you could go to for ready-made access? It would be a dream scenario for a hacker and it’s one which is provided by IABs.

Acting as a literal broker, IABs carry out extensive research on organizations to identify those that are considered vulnerable. Slowly, these IABs will build up a portfolio of vulnerable targets and details on how to gain access to their networks. This takes the hard work out of hacking for the hackers and ensures that, for a fee, details of vulnerable networks can be quickly obtained. The majority of these deals take place on the dark web with access details being sold to the highest bidder.

How Do You Avoid Becoming an IAB Listing?

IABs are not selective in the industries that they target and tend to scour all industries for potential victims. These threats are also unfolding on a global basis, but some research has shown that a third of IAB listings involve businesses located in the US. Accordingly, you will want to make sure you don’t find your organization having its vulnerabilities advertised as being for sale. And you can do this by taking note of the following:

Eliminate Any Vulnerabilities: The simplest way to prevent IABs identifying your network vulnerabilities is by eliminating them. The best method for implementing this is by installing all firmware and patches as soon as they are available. This approach will close any potential entry points to IABs.

Train Your Staff: One of the quickest ways for IABs to gain access to your network is through your staff. Social engineering, for example, can quickly provide an IAB with a route straight into your network. Educating your staff, and regularly refreshing this knowledge, is essential for reducing unauthorized access to your network.

Check IAB Listings: Although IAB listings do not always directly list who the target is, it’s possible to narrow the options down and identify industry trends. As most of these listings are found on the dark web, it’s a good idea to employ an IT professional to investigate them and advise of any potential risks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

« Previous 1 2 3 4 5 … 7 Next »

Category Archives: Ransomware