Security Affairs

JULY 15, 2022

RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), log), swap files(.vswp), vmdk), snapshot files (.vmsn) vmsn) and memory files(.vmem) It appends a “.crypt[Random

Ransomware 125

Ransomware Encryption File names Risk 125

Security Affairs

AUGUST 23, 2023

A previously unknown APT group, tracked as Carderbee, was behind a supply chain attack against Hong Kong organizations. The group attempted to infect target organizations with the Korplug backdoor (aka PlugX ). Cobra DocGuard Client is software produced by a Chinese firm EsafeNet, it is used to protect, encrypt, and decrypt software.

File names 79

File names Encryption Archiving Information Security 79

Security Affairs

JANUARY 7, 2022

Once encrypted a file, the ransomware appends the ‘ nightsky ‘ extension to encrypted file names. According to BleepingComputer , the group demanded one of its victims, the payment of an initial ransom of $800,000 to recover the encrypted data. Program Files Program Files (x86) #recycle.

Ransomware 130

Ransomware Encryption File names Communications 130

Security Affairs

JUNE 5, 2021

top) that was recently registered for the beginning of the group’s operations. “Based on the analysis, the Cyble research team found that Nucleus Software is the first victim of the BlackCocaine ransomware group.” BlackCocaine ” to the filenames of encrypted files. ” concludes the report.

Ransomware 125

Ransomware Encryption File names Financial Services 125

Security Affairs

OCTOBER 21, 2021

The Macaw Locker ransomware encrypts victims’ files and append the .macaw macaw extension to the file name of the encrypted files. The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider , the Dridex gang, and TA505 ) has been active in cybercrime activities since 2007.

Ransomware 117

Ransomware File names Encryption Government 117

Security Affairs

AUGUST 18, 2023

SentinelOne observed China-linked APT group Bronze Starlight (aka APT10 , Emperor Dragonfly or Storm-0401) targeting the gambling sector within Southeast Asia. Bronze Starlight is a nation-state group that was observed using ransomware as means for distraction or misattribution. ” reads the analysis published by SentinelOne.

Archiving 92

Archiving File names Encryption Passwords 92

Security Affairs

MARCH 19, 2022

Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom. In January, the FBI officially linked the Diavol ransomware operation to the infamous TrickBot gang , the group that is behind the TrickBot banking trojan.

Ransomware 89

Ransomware File names Encryption Cybersecurity 89

eSecurity Planet

JULY 19, 2022

The malware exfiltrates data before encrypting the targeted devices to provide additional means of extortion. The victim was a large construction group based in South America, which suggests that the hackers are aiming high – and may also be sensitive to any potential backlash from countries or law enforcement.

Ransomware 120

Ransomware Encryption File names Government 120

Security Affairs

JUNE 30, 2022

The agency released an executable along with a user manual that provides step-by-step instructions to recover encrypted data for free. The group used a variety of attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials. The offset is stored in the encrypted file name of each file.

Ransomware 107

Ransomware Cybersecurity Encryption Blockchain 107

Security Affairs

JUNE 3, 2023

ReadMe file name: README.BlackSuit.txt. blacksuit extension to the name of the encrypted files, drops a ransom note into each directory containing the encrypted files, and adds the reference to its TOR chat site in the ransom note along with a unique ID for each of its victims. Extension: blacksuit.

Ransomware 95

Ransomware Encryption File names Cybersecurity 95

Security Affairs

MARCH 26, 2021

Accenture’s Cyber Investigation & Forensic Response (CIFR) and Cyber Threat Intelligence (ACTI) teams published an analysis of the latest campaign conducted by financially motivated threat group Hades which have been operating since at least December 2020. . The copy is then deleted and an executable is unpacked in memory.

Ransomware 141

Ransomware Encryption File names Manufacturing 141

Security Affairs

OCTOBER 13, 2022

The Budworm espionage group resurfaced targeting a U.S.-based This is the first time that Symantec researchers have observed the Budworm group targeting a U.S-based The group also targeted a hospital in South East Asia. The China-linked APT27 group has been active since 2010, it targeted organizations worldwide, including U.S.

File names 130

File names Financial Services Manufacturing Libraries 130

Security Affairs

OCTOBER 27, 2021

Experts believe that the decision of the group to leave the ransomware practice could be the result of an operational error, it was a bad idea to threaten the US police department due to the information that it manages. Metropolitan Police Department, encrypted its files and demanded a $4 million ransom.

Ransomware 92

Ransomware File names Encryption Cybersecurity 92

Security Affairs

SEPTEMBER 12, 2019

Iran-linked Cobalt Dickens APT group carried out a spear-phishing campaign aimed at tens of universities worldwide. This operation is similar to the threat group’s August 2018 campaign , using compromised university resources to send library-themed phishing emails.” ” reads the analysis published by Secureworks.

Phishing 79

Phishing Libraries File names Metadata 79

Schneier on Security

MAY 4, 2022

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. Unpacking this threat group is difficult.

IoT 101

IoT File names Encryption Access 101

Security Affairs

JULY 28, 2021

A China-linked cyberespionage group, tracked as PKPLUG, employed a previously undocumented strain of a RAT dubbed THOR in recent attacks. The analysis of the file revealed that it includes the encrypted and compressed PlugX payload. Aro.dat is, in fact, an encrypted and compressed PlugX payload.” Pierluigi Paganini.

Encryption 110

Encryption File names Communications IT 110

Security Affairs

MARCH 17, 2020

This tactic was already adopted by other ransomware gangs, including the Maze Group , Nemty gang , DoppelPaymer , and Sodinokibi crews. Nefilim will encrypt a file using AES-128 encryption, then the AES encryption key is encrypted using an RSA-2048 public key that is embedded in the ransomware executable.

Ransomware 105

Ransomware Encryption File names Access 105

Security Affairs

FEBRUARY 28, 2019

Security expert Marco Ramilli analyzed a new piece of malware apparently designed to target PIK-Group that implements ransomware , Trojan, and Miner capabilities. So I clicked on the link (see IOC section) and I’ve downloaded a “pik.zip” file. which according to google translate would be: “PIK Group of Companies order details”.

Ransomware 75

Ransomware Mining File names Encryption 75

Security Affairs

FEBRUARY 8, 2023

Researchers from Broadcom Symantec spotted a Russia-linked ATP group, tracked as Nodaria (aka UAC-0056), deploying new info-stealing malware, dubbed Graphiron, in attacks against Ukraine. “Graphiron uses AES encryption with hardcoded keys. ” Symantec concludes.

File names 82

File names Passwords Phishing Encryption 82

Security Affairs

MAY 13, 2023

After gaining access to SMB shares, threat actors encrypt all files and leave a ransom note demanding payment in exchange for the decryption key. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README”

Ransomware 92

Ransomware Encryption Passwords File names 92

Security Affairs

MAY 6, 2020

The Australian transportation and logistics giant Toll Group informed its customers that it has shut down some IT systems after a new ransomware attack, it is the second infection disclosed by the company this year. The encrypted AES key will be included in the contents of each encrypted file.

Ransomware 99

Ransomware Encryption File names IT 99

Security Affairs

MARCH 3, 2020

Nemty ransomware first appeared on the threat landscape in August 2019, the name of the malware comes after the extension it adds to the encrypted file names. The ransomware deletes shadow copies of encrypted files to make in impossible any recovery procedure. Pierluigi Paganini.

Ransomware 102

Ransomware File names Encryption Archiving 102

Security Affairs

SEPTEMBER 3, 2020

The Evilnum APT group has added a new weapon to its arsenal, it is a Python-based spy RAT, dubbed PyVil, designed to target FinTech organizations. The Evilnum APT group was first spotted in 2018 while using the homonym malware. ” reads the report published by Cybereason. The PyVil RAT stores the malware settings (i.e.

Phishing 137

Phishing Encryption File names Metadata 137

Security Affairs

MAY 19, 2021

Conti ransomware also breached the network of Ireland’s Department of Health (DoH) but the ransomware failed to encrypt the systems. In a separate attack, the ransomware gang also breached the network of the country’s Department of Health (DoH) but failed to encrypt the systems of the organization.

Ransomware 85

Ransomware Encryption File names IoT 85

Security Affairs

JANUARY 11, 2022

The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom. Researchers from MalwareHunterteam first spotted the ransomware family, once encrypted a file, the ransomware appends the ‘. nightsky ‘ extension to encrypted file names.

Ransomware 101

Ransomware Libraries File names Encryption 101

Security Affairs

APRIL 24, 2021

Upon opening the attachment, ToxicEye installs itself on the victim’s device and performs some operations in background such as: stealing data deleting or transferring files killing processes on the PC hijacking the PC’s microphone and camera to record audio and video encrypting files for ransom purposes.

Communications 119

Communications File names Encryption Education 119

Security Affairs

JANUARY 12, 2022

The new variant discovered by Fortinet has the file name “Omicron Stats.exe,” threat actors are attempting to exploit the enormous interest on a global scale on the COVID-19 Omicron variant. Upon executing the Omicron Stats.exe, it unpacks resources encrypted with triple DES using ciphermode ECB and padding mode PKCS7.

Manufacturing 134

Manufacturing File names Archiving Encryption 134

Security Affairs

DECEMBER 17, 2019

Researchers spotted a new Remote Access Trojan (RAT), dubbed Dacls, that was used by the Lazarus APT group to target both Windows and Linux devices. Experts at Qihoo 360 Netlab revealed that the North-Korea Lazarus APT group used a new Remote Access Trojan (RAT), dubbed Dacls, to target both Windows and Linux devices.

CMS 75

CMS File names Encryption Access 75

Security Affairs

JULY 8, 2023

Iran-linked APT group tracked TA453 has been linked to a new malware campaign targeting both Windows and macOS systems. At the provided URL, a password-encrypted.rar file named “Abraham Accords & MENA.rar” was hosted. The.rar archive contained a dropper named “Abraham Accords & MENA.pdf.lnk.”

Archiving 94

Archiving Cloud File names Metadata 94

Security Affairs

DECEMBER 5, 2021

The group resurfaced in April 2021, the malvertising campaigns targeted users in Canada, the U.S., The installer has many different file names. ” The experts noticed that the group is reportedly updating the malware families. . ” The experts noticed that the group is reportedly updating the malware families.

Sales 86

Sales File names Passwords Encryption 86

Security Affairs

JANUARY 15, 2020

The cybercrime group behind Satan ransomware and other malware seems to be involved in the development of a new threat named 5ss5c. 360download and 360safe files). ru ) to the file name of each encrypted file, for example test.txt becomes [5ss5c@mail.ru ] test. dll –TargetIp .

Ransomware 70

Ransomware File names Encryption Security 70

Security Affairs

JANUARY 9, 2020

In the last 18 months, North Korea-linked Lazarus APT group has continued to target cryptocurrency exchanges evolving its TTPs. Kaspersky researchers have analyzed the attacks carried out by North Korea-linked Lazarus APT group in the past 18 months and confirmed their interest in banks and cryptocurrency exchanges.

File names 61

File names Encryption Authentication Communications 61

Security Affairs

OCTOBER 24, 2019

Fortinet has analyzed the NukeSped RAT that is believed to be a malware in the arsenal of the Lazarus North-Korea linked APT group. The attribution to the Lazarus group is based on the similarities with other malware associated with the APT group. The samples were importing a small number of common DLLs and functions.

Encryption 42

Encryption File names Ransomware IT 42

Security Affairs

JANUARY 28, 2020

Then the malware encrypts the files on the system, skipping Windows system files and folders. The SNAKE ransomware appends a ransom 5 character string to the files extension (i.e. a file named invoice.doc is encrypted and renamed like invoice.docIksrt.

Ransomware 87

Ransomware Energy and Utilities Manufacturing Encryption 87

Security Affairs

MAY 29, 2019

The threat group is also known for its recent attack campaign against Bank and Retail business sectors, but the latest evidence indicates a potential expansion of its criminal operation to other industries too. Once the macro is executed, the malware downloads two files from “kentona[.su”, Example of junk instructions used in macro.

IT 68

IT Retail Archiving File names 68

Security Affairs

AUGUST 23, 2019

Asruex first appeared in the threat landscape 2015, researchers linked it to the spyware used by the DarkHotel APT group. Researchers reported that attackers also used weaponized Word files to deliver the Asruex Trojan, in other cases the malicious code is delivered as a standard executable. EBSS section. ” continues the report.

File names 84

File names Phishing Encryption Security 84

Security Affairs

APRIL 28, 2020

The Outlaw Hacking Group is back, malware researchers from Cybaze-Yoroi ZLab have uncovered a new botnet that is targeting European organizations. The Linux malware is the well-known “ Shellbot ”, it is a crimetool belonging to the arsenal of a threat actor tracked as the “Outlaw Hacking Group. ”. Introduction. Technical Analysis.

Mining 101

Mining File names Honeypots IT 101