Security News

The threat actor behind the Sodinokibi ransomware was observed scanning the victim networks for credit card or point of sale software. An off-the-shelf tool, Cobalt Strike is employed by a broad range of threat actors, including multiple ransomware gangs.

On the infected host, WastedLocker first performs a series of operations to ensure it runs properly, and only then it proceeds to encrypting files. The ransomware can delete shadow copies to prevent data recovery, and can encrypt files in specific directories only, or all files on a drive.

The Maze ransomware gang has threatened to publish information stolen from an American firm that overhauls airliners and installs flight control software upgrades - because its victim refused to pay a demanded ransom. In a "Press release" published on its leaks website, Maze raged against victims who refused to play its game and cough up vast sums of money to decrypt their illicitly encrypted data.

The commoditization of ransomware as a service, and how that has played into current economic distress, allowing people to get into the crime business - mainly out of necessity. Ransomware attacks increasingly target cities and municipalities.

Cybercriminals behind recent Sodinokibi ransomware attacks are now upping their ante and scanning their victims' networks for credit card or point of sale software. It's not yet clear whether the attackers are targeting this PoS software to encrypt it as part of the ransomware attack, or because they want to scrape the credit card information on the systems as a way to make even more money in addition to the ransomware attack.

A ransomware campaign, dubbed Hakbit, is targeting mid-level employees across Austria, Switzerland and Germany with malicious Excel attachments delivered via the popular email provider GMX. The spear-phishing based campaign is low volume and so far targeted the pharmaceutical, legal, financial, business service, retail, and healthcare sectors. In this campaign, when GuLoader runs, it then downloads and executes Hakbit, a known ransomware that encrypts files using AES-256 encryption.

Staff records - from social-security and corporate credit card numbers, to passport and bank account details - were siphoned from Cognizant by hackers who then doused the IT contractor in ransomware. A pair of disclosures [PDF] from Cognizant to the California Attorney General's office, mandated by US state law, this week shed more light on its Maze ransomware infection.

The Maze ransomware gang has screwed up by targeting a New York design and construction firm instead of the Canadian Standards Association it was intending to hit. Just like that, the New Yorkers got caught in the ransomware crossfire when the Maze gang began hunting for their next target.

Technology services giant Cognizant has informed clients that the Maze ransomware attack it suffered in April 2020 resulted in personally identifiable and financial information being stolen. On April 20, the company discovered that cybercriminals had breached its network and that the Maze ransomware was used to encrypt data on internal systems.

You may have heard the name DoppelPaymer before - along with numerous other ransomware gangs including Maze and Revil, the crooks behind this one don't just scramble your data, they steal copies of it first. As we've regularly explained in Naked Security, many ransomware attacks turn out to be the final chapter in a sometimes lengthy series of malware infections, where each infection is used as the vehicle to implant the next.