Tuesday, November 9th, 2021
Security News & Industry Updates
Check out some of the latest cyber-attack news from around the world below – from ransomware attacks to other sophisticated cyber threats resulting in massive data breaches.
The latest trends
Suspected REvil ransomware affiliates arrested during the ongoing crackdown on ransomware
On November 4th, Romanian law enforcement authorities arrested two suspects believed to be Sodinokibi/REvil ransomware affiliates accused of launching 5,000 ransomware attacks. On the same day, Kuwaiti authorities also arrested a GandGrab ransomware affiliate.
The arrests mark a total of 7 seven suspects arrested since February 2021 that have been linked to REvil and GandGrab – including three individuals believed to be REvil affiliates were apprehended in South Korea in February, April, and October and one was arrested in Europe last month.
The arrests are part of Operation GoldDust which involves 17 countries, including the United States in an effort to combat ransomware gangs.
REvil (also known as Sodinokibi) is one of the most prolific RaaS operations out there. In August 2021, REvil made cybercrime history as they made the largest ransom demand of all-time, demanding $70 million to decrypt the 1,000-plus victims in the Kaseya ransomware attack. REvil have previously been responsible for a ransomware attack on JBS, the world’s largest meatpacker, which fetched a ransom of $11 million. In April, REvil stole and published blueprints from Apple supplier Quanta Computer. That attack reportedly claimed a $50 million ransom.
U.S. offers $10 million reward for leaders of REvil/Darkside ransomware
In addition to operation GoldDust, the U.S. announced that it will be offering up to $10 million for identifying or locating leaders in the REvil (Sodinokibi) ransomware operation, including $5 million leading to the arrest of affiliates. This bounty is being offered as part of the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), which rewards informants for information that leads to the arrest or conviction of individuals in transnational organized crime groups.
Robinhood Security Breach Exposes Data on Millions of Users
On Monday, 9th November, Robinhood Markets Inc. announced a security breach that exposed the personal information of 7 millions of its users. Most of the 7 million affected accounts had only one piece of personal information exposed: either the user’s name or their email address. But in over 300 of these cases, more sensitive data such as date of birth and zip code was uncovered, as well as the user’s full name.
No social security, bank account or debit card numbers are believed to have been compromised. The main threat from this breach is that the exposed information could be used to facilitate further attacks.
MediaMarkt hit by Hive ransomware, initial $240 million ransom
MediaMarkt, Europe’s largest consumer electronics retailer has suffered a Hive ransomware with an initial ransom demand of $240 million, causing IT systems to shut down and store operations to be disrupted in Netherlands and Germany.
MediaMarkt employs approximately 53,000 employees and has a total sales of €20.8 billion. The attack occurred on Sunday evening and ran into Monday morning, encrypting the servers and workstations and led to the shutdown of IT systems to prevent the attack’s spread. While online sales continue to function as expected, cash registers cannot accept credit cards or print receipts at affected stores.
Hive Ransomware is believed to be behind the attack and has demanded a huge ransom of $240 million to receive a decryptor for encrypted files.
This size of a ransom is typical to allow room for negotiation.
Hive is a new & potentially devastating type of ransomware. Hive ransomware is a relatively new operation launched in June 2021 that is known to breach organizations through malware-laced phishing campaigns. Once they gain access to a network, the threat actors will spread laterally through a network while stealing unencrypted files to be used in extortion demands. They are known to steal files and publish them on their ‘HiveLeaks’ data leak site if a ransom is not paid.
A cyber attack on a company (large or small) can be costly to fix and can be hugely disruptive to business. On top of this, if customers’ important details are stolen, the business could risk having its reputation severely damaged.
Hackers are adapting to their environment, creating tools and workarounds that both exploit existing vulnerabilities and leverage new weaknesses to compromise personal and business networks. Cybercrime isn’t going anywhere so you must be prepared.
FBI: HelloKitty ransomware adds DDoS attacks to extortion tactics
The FBI has sent out a flash alert warning private industry partners that the HelloKitty ransomware gang also known as FiveHands has added distributed denial-of-service (DDoS) attacks to their arsenal of extortion tactics.
In a Friday notification coordinated with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI said that the ransomware group would take their victims’ official websites down in DDoS attacks if they didn’t comply with the ransom demands.
HelloKitty is also known for stealing sensitive documents from victims’ compromised servers before encrypting them. The exfiltrated files are later used as leverage to pressure the victims into paying the ransom under the threat of leaking the stolen data online on a data leak site.
When it comes to ransomware, prevention is key! Here are some tips from our experts:
Secure and monitor your endpoints
Invest in EDR solutions that continually monitor network endpoints like PCs, laptops and servers to identify and block malicious processes. Deploy a SIEM solution with 24/7 monitoring (SOC). By having a SOC in place, you have much better chances to detect ransomware within your environment compared to traditional tools, as it provides a holistic network overview and automated analysis of security events based on professionally configured parameters.
Regular data backups
The 3-2-1 rule is best practice for backup and recovery. Simply put, the 3-2-1 rule means you should have at least 3 copies of your data, utilise 2 different media formats and have one copy offsite. Moreover, verify that you know how to restore files from the backup in the event of an incident, and regularly test that it is working as expected.
Prepare for an incident
Identify your critical assets and determine the impact to these if they were affected by a malware attack. Plan for an attack, even if you think it is unlikely. There are many examples of organisations that have been impacted by collateral malware, even though they were not the intended target. Most importantly, exercise your incident management plan.
Regular Penetration Testing
Ransomware attacks feed on the weaker nodes and vulnerable sections of the network. The best way to prevent a ransomware attack or any cyberattack for that matter is to completely eliminate these vulnerabilities. Conduct a ransomware readiness exercise.
Regular security awareness training is an indispensable precondition for avoiding big troubles. Before each strain of ransomware has the opportunity to gain a foothold on a targeted system, it first has to find its way in. That happens through social engineering, most likely through phishing emails that carry attachments loaded with hidden malware or phishing emails that prompt recipients to click on malicious URLs that will eventually install a piece of malware in a surreptitious manner.
Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. It is critical that organisations ensure that all systems have the latest patches applied to them as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.