Security News
The threat actors behind Cuba ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022. In a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, the agencies highlighted a "Sharp increase in both the number of compromised U.S. entities and the ransom amounts."
The threat actors behind Cuba ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022. The ransomware crew, also known as Tropical Scorpius, has been observed targeting financial services, government facilities, healthcare, critical manufacturing, and IT sectors, while simultaneously expanding its tactics to gain initial access and interact with breached networks.
The Ukrainian CERT has uncovered an attack campaign aimed at compromising Ukrainian organizations and irretrievably encrypting their files. To do that, they are leveraging a specific version of the Somnia ransomware that, "According to the attackers' theoretical plan, does not provide for the possibility of data decryption."
Australian health insurer Medibank today confirmed that personal data belonging to around 9.7 million of its current and former customers were accessed following a ransomware incident. "This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers, and around 1.8 million international customers," Medibank noted.
Australian health insurance provider Medibank has announced it won't be paying the ransom to the criminal(s) who stole data of 9.7 million of its current and former customers. "Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm's way by making Australia a bigger target," the company said.
Australian health insurer Medibank - which spent October discovering a security incident was worse than it first thought - has announced it will not pay a ransom to attackers that made off with personal info describing nearly ten million customers. "Based on the extensive advice we have received from cyber crime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," CEO David Koczkar stated in a stock market filing published on Monday.
A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands injected into packets and new features to evade detection of its infrastructure. The most notable improvement in this botnet version is the delivery of ransom demands directly within DDoS packets used against victims' networks.
Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations' encryptors. The samples analyzed by Unit 42 show that Ransom Cartel is missing some configuration values, meaning that the authors are either trying to make the malware leaner or that their basis is an earlier version of the REvil malware.
Now Unit 42 says Ransom Cartel shares some similarities with the notorious REvil ransomware-as-a-service gang. The researchers aren't making that leap, but they believe that at one time those cybercriminals behind Ransom Cartel had made contact with their REvil counterparts, maybe as affiliates or in some other position.
Does that mean REvil - which was behind the high-profile attack on Colonial Pipeline last year and essentially went dark just months before Ransom Cartel came to the surface - morphed into the new group and is just continuing with its nefarious ways under a new name? "Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation," Unit 42 researchers Amer Elsad and Daniel Bunce write in a recent report.