Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.
In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group.…
Researchers recently identified a fresh Gootloader malware variant known as “GootBot,” used in SEO poisoning attacks. This variant introduces features that enable threat actors to move laterally within infected systems, and make it challenging for organizations to detect or block.
Gootloader has predominantly served as an initial access provider, with certain infections leading to ransomware incidents.…
Published On : 2023-11-03
Ransomware of the WeekCYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware.Target Technologies: MS Windows.…
As a cybersecurity company, Kaspersky is constantly dealing with known and brand-new malware samples. As part of our crimeware reporting service, we provide our customers with technical reports on the evolution of existing crimeware families, as well as newly emerging ones. In this article, we share excerpts from our reports on malware that has been active for less than a year: the GoPIX stealer targeting the PIX payment system, which is gaining popularity in Brazil; the Lumar multipurpose stealer advertised on the dark web; and the Rhysida ransomware supporting old Windows versions.…
Affected Platforms: WindowsImpacted Users: Windows usersImpact: The information collected can be used for future attacksSeverity Level: Medium
In 2023, the InfoStealer market is a reasonably crowded affair. The likes of RedLine, Raccoon, and Vidar own a significant market share, with new entrants such as SaphireStealer appearing frequently.…
Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators was how these anomalies were detected, usually after the fact. This evolved into more structured methodologies created by security experts that attempted to identify these activities in real time.…
Menlo Labs recently identified a phishing campaign targeting executives in senior level roles across various industries, but primarily Banking and Financial services, Insurance providers, Property Management and Real Estate, and Manufacturing.
The key findings based on our research of the phishing campaign are as follows:
The campaign started in July and has continued into the month of August.…September 26, 2023 – Fresh off the publication of data they exfiltrated from Sony on the Dark Web, emerging ransomware syndicate Ransomed.vc announced a new victim today: NTT Docomo, the largest mobile network operator in Japan. Ransomed.vc threat actors are also attempting to extort NTT Docomo for $1,015,000.…
This month, “Smishing Triad” has vastly expanded its attack footprint in the UAE. Resecurity, a leader in cybersecurity and threat intelligence, has identified domain names that closely resemble those used by the group in their previous campaigns. Threat actors registered the majority of these UAE-focused domains with Gname.com…
Avaddon, a notorious Ransomware-as-a-Service (RaaS) that emerged in early 2019 was known for its double-extortion tactics. It not only encrypted victims’ files but also threatened to release stolen data publicly. Avaddon’s modus operandi involved targeting a diverse range of sectors, including healthcare, government, financial services, legal, hospitality, education, and retail.…
Published by Digital Forensics and Incident Response on 15 September 2023
The CyberCX DFIR team has been engaged to assist in multiple investigations related to the Akira ransomware group, which has been seen affecting victims since April 2023. One novel technique that we’ve observed leverages deployment of ransomware onto Windows Hyper-V hypervisor systems, causing major damage to attached virtual machines (VMs).…
eSentire, a top global Managed Detection and Response (MDR) security services provider, intercepted and shut down three separate ransomware attacks launched by affiliates of the notorious, Russia-linked LockBit Ransomware Gang. The FBI estimates that the LockBit operators and their affiliates have collected approximately $91 million since the group’s inception, and that is just U.S.…
Using Microsoft Purview’s eDiscovery tool we searched for the senders (participants) in Microsoft Teams.
The senders of the external Microsoft Teams chat messages were identified as “Akkaravit Tattamanas” (63090101@my.buu.ac.th) and “ABNER DAVID RIVERA ROJAS” (adriverar@unadvirtual.edu.co). Truesec Threat Intelligence confirmed the accounts were compromised via an unknown malware and put up for sale on the Dark Web in August 2023.…
In ancient Greek mythology, Medusa stands as one of the most iconic and feared figures. With a head full of venomous snakes in place of hair, she had the power to turn anyone who gazed upon her into stone. This Gorgon, once a beautiful maiden, became synonymous with terror and dread. …
Resecurity has identified a large-scale smishing campaign targeting US Citizens. Previous incidents have impacted victims from the U.K, Poland, Sweden, Italy, Indonesia, Japan, and other countries. The threat group behind the campaign was skillfully impersonating the Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), PostNord, Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate).…
Last updated at Thu, 07 Sep 2023 14:02:21 GMT
Tyler Starks, Christiaan Beek, Robert Knapp, Zach Dayton, and Caitlin Condon contributed to this blog.
Rapid7’s managed detection and response (MDR) teams have observed increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023.…
Agniane Stealer fraudulently takes credentials, system information, and session details from browsers, tokens, and file transferring tools. Agniane Stealer also heavily targets cryptocurrency extensions and wallets. Once it obtains the sensitive data, Agniane Stealer transfers that stolen data to command-and-control [C&C] servers, where threat actors can act upon the stolen information. …
This article is not an in-depth reverse-engineering analysis of a ransomware variant. Rather, it discusses the methods and different techniques used to uncover previous ransomware campaigns.
When a ransomware is successful out in the wild, it is a common to see cybercriminals use the same ransomware samples — slightly tweaking their codebase — to pilot other projects.…