ransomware

missouri-county-declares-state-of-emergency-amid-suspected-ransomware-attack

Missouri county declares state of emergency amid suspected ransomware attack

Biz & IT, hacking, jackson county, ransomware, Security / /

IT SYSTEMS HELD HOSTAGE —

Outage occurs on same day as special election, but election offices remain open.

Downtown Kansas City, Missouri, which is part of Jackson County.

Enlarge / Downtown Kansas City, Missouri, which is part of Jackson County.

Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable.

“Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack,” officials wrote Tuesday. “Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal.”

The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice.

The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB’s Kansas City Royals and the NFL’s Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open.

To date, ransomware attacks have hit 28 county, municipal, or tribal governments this year, according to Brett Callow, a threat analyst with security firm Emsisoft. Last year, there were 95; 106 occurred in 2022.

The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri.

The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised.

“We are currently in the early stages of our diagnostic procedures, working closely with our cybersecurity partners to thoroughly explore all possibilities and identify the root cause of the situation,” officials wrote. “While the investigation considers ransomware as a potential cause, comprehensive analyses are underway to confirm the exact nature of the disruption.”

Jackson County Executive Frank White Jr. has issued an executive order declaring a state of emergency.

“The potential significant budgetary impact of this incident may require appropriations from the County’s emergency fund and, if these funds are found to be insufficient, the enactment of additional budgetary adjustments or cuts,” White wrote. “It is directed that all county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of this potential ransomware attack.”

The attack first came to attention Tuesday morning, county officials said on Facebook.

The county has notified law enforcement and retained IT security contractors to help investigate and remediate the attack.

“The County recognizes the impact these closures have on its residents,” officials wrote. “We appreciate the community’s patience and understanding during this time and will provide more information as it becomes available.”

Missouri county declares state of emergency amid suspected ransomware attack Read More »

amid-paralyzing-ransomware-attack,-feds-probe-unitedhealth’s-hipaa-compliance

Amid paralyzing ransomware attack, feds probe UnitedHealth’s HIPAA compliance

Change Healthcare, cyberattack, health, HHS, HIPAA, Policy, ransomware, Science, unitedhealth / /

most significant and consequential incident —

UnitedHealth said it will cooperate with the probe as it works to restore services.

Multistory glass-and-brick building with UnitedHealthcare logo on exterior.

As health systems around the US are still grappling with an unprecedented ransomware attack on the country’s largest health care payment processor, the US Department of Health and Human Services is opening an investigation into whether that processor and its parent company, UnitedHealthcare Group, complied with federal rules to protect private patient data.

The attack targeted Change Healthcare, a unit of UnitedHealthcare Group (UHG) that provides financial services to tens of thousands of health care providers around the country, including doctors, dentists, hospitals, and pharmacies. According to an antitrust lawsuit brought against UHG by the Department of Justice in 2022, 50 percent of all medical claims in the US pass through Change Healthcare’s electronic data interchange clearinghouse. (The DOJ lost its case to prevent UHG’s acquisition of Change Healthcare and last year abandoned plans for an appeal.)

As Ars reported previously, the attack was disclosed on February 21 by UHG’s subsidiary, Optum, which now runs Change Healthcare. On February 29, UHG accused the notorious Russian-speaking ransomware gang known both as AlphV and BlackCat of being responsible. According to The Washington Post, the attack involved stealing patient data, encrypting company files, and demanding money to unlock them. The result is a paralysis of claims processing and payments, causing hospitals to run out of cash for payroll and services and preventing patients from getting care and prescriptions. Additionally, the attack is believed to have exposed the health data of millions of US patients.

Earlier this month, Rick Pollack, the president and CEO of the American Hospital Association, called the ransomware attack on Change Healthcare “the most significant and consequential incident of its kind against the US health care system in history.”

Now, three weeks into the attack, many health systems are still struggling. On Tuesday, members of the Biden administration met with UHG CEO Andrew Witty and other health industry leaders at the White House to demand they do more to stabilize the situation for health care providers and services and provide financial assistance. Some improvements may be in sight; on Wednesday, UHG posted an update saying that “all major pharmacy and payment systems are up and more than 99 percent of pre-incident claim volume is flowing.”

HIPAA compliance

Still, the data breach leaves big questions about the extent of the damage to patient privacy, and the adequacy of protections moving forward. In an additional development Wednesday, the health department’s Office for Civil Rights (OCR) announced that it is opening an investigation into UHG and Change Healthcare over the incident. It noted that such an investigation was warranted “given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers.”

In a “Dear Colleague” letter dated Wednesday, the OCR explained that the investigation “will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.” HIPAA is the Health Insurance Portability and Accountability Act, which establishes privacy and security requirements for protected health information, as well as breach notification requirements.

In a statement to the press, UHG said it would cooperate with the investigation. “Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” the statement read. “We are working with law enforcement to investigate the extent of impacted data.”

The Post notes that the federal government does have a history of investigating and penalizing health care organizations for failing to implement adequate safeguards to prevent data breaches. For instance, health insurance provider Anthem paid a $16 million settlement in 2020 over a 2015 data breach that exposed the private data of almost 79 million people. The exposed data included names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. The OCR investigation into the breach discovered that the attack began with spear phishing emails that at least one employee of an Anthem subsidiary fell for, opening the door to further intrusions that went undetected between December 2, 2014, and January 27, 2015.

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” OCR Director Roger Severino said at the time. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Amid paralyzing ransomware attack, feds probe UnitedHealth’s HIPAA compliance Read More »

after-collecting-$22-million,-alphv-ransomware-group-stages-fbi-takedown

After collecting $22 million, AlphV ransomware group stages FBI takedown

alphv, Biz & IT, blackcat, exit scam, ransomware, Security / /
A ransom note is plastered across a laptop monitor.

The ransomware group responsible for hamstringing the prescription drug market for two weeks has suddenly gone dark, just days after receiving a $22 million payment and standing accused of scamming an affiliate out of its share of the loot.

The events involve AlphV, a ransomware group also known as BlackCat. Two weeks ago, it took down Change Healthcare, the biggest US health care payment processor, leaving pharmacies, health care providers, and patients scrambling to fill prescriptions for medicines. On Friday, the bitcoin ledger shows, the group received nearly $22 million in cryptocurrency, stoking suspicions the deposit was payment by Change Healthcare in exchange for AlphV decrypting its data and promising to delete it.

Representatives of Optum, the parent company, declined to say if the company has paid AlphV.

Honor among thieves

On Sunday, two days following the payment, a party claiming to be an AlphV affiliate said in an online crime forum that the nearly $22 million payment was tied to the Change Healthcare breach. The party went on to say that AlphV members had cheated the affiliate out of the agreed-upon cut of the payment. In response, the affiliate said it hadn’t deleted the Change Healthcare data it had obtained.

A message left in a crime forum from a party claiming to be an AlphV affiliate. The post claims AlphV scammed the affiliate out of its cut.

Enlarge / A message left in a crime forum from a party claiming to be an AlphV affiliate. The post claims AlphV scammed the affiliate out of its cut.

vxunderground

On Tuesday—four days after the bitcoin payment was made and two days after the affiliate claimed to have been cheated out of its cut—AlphV’s public dark web site started displaying a message saying it had been seized by the FBI as part of an international law enforcement action.

The AlphV extortion site as it appeared on Tuesday.

Enlarge / The AlphV extortion site as it appeared on Tuesday.

The UK’s National Crime Agency, one of the agencies the seizure message said was involved in the takedown, said the agency played no part in any such action. The FBI, meanwhile, declined to comment. The NCA denial, as well as evidence the seizure notice was copied from a different site and pasted into the AlphV one, has led multiple researchers to conclude the ransomware group staged the takedown and took the entire $22 million payment for itself.

“Since people continue to fall for the ALPHV/BlackCat cover up: ALPHV/BlackCat did not get seized,” Fabian Wosar, head of ransomware research at security firm Emsisoft, wrote on social media. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of the new takedown notice.”

After collecting $22 million, AlphV ransomware group stages FBI takedown Read More »

us-prescription-market-hamstrung-for-9-days-(so-far)-by-ransomware-attack

US prescription market hamstrung for 9 days (so far) by ransomware attack

alphv, Biz & IT, critical infrastructure, healthcare, ransomware, Security / /

RX CHAOS —

Patients having trouble getting lifesaving meds have the AlphV crime group to thank.

US prescription market hamstrung for 9 days (so far) by ransomware attack

Getty Images

Nine days after a Russian-speaking ransomware syndicate took down the biggest US health care payment processor, pharmacies, health care providers, and patients were still scrambling to fill prescriptions for medicines, many of which are lifesaving.

On Thursday, UnitedHealth Group accused a notorious ransomware gang known both as AlphV and Black Cat of hacking its subsidiary Optum. Optum provides a nationwide network called Change Healthcare, which allows health care providers to manage customer payments and insurance claims. With no easy way for pharmacies to calculate what costs were covered by insurance companies, many had to turn to alternative services or offline methods.

The most serious incident of its kind

Optum first disclosed on February 21 that its services were down as a result of a “cyber security issue.” Its service has been hamstrung ever since. Shortly before this post went live on Ars, Optum said it had restored Change Healthcare services.

“Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types,” an update said. “As a result, we have enabled this service for all customers effective 1 pm CT, Friday, March 1, 2024.”

AlphV is one of many syndicates that operates under a ransomware-as-a-service model, meaning affiliates do the actual hacking of victims and then use the AlphV ransomware and infrastructure to encrypt files and negotiate a ransom. The parties then share the proceeds.

In December, the FBI and its equivalent in partner countries announced they had seized much of the AlphV infrastructure in a move that was intended to disrupt the group. AlphV promptly asserted it had unseized its site, leading to a tug-of-war between law enforcement and the group. The crippling of Change Healthcare is a clear sign that AlphV continues to pose a threat to critical parts of the US infrastructure.

“The cyberattack against Change Healthcare that began on Feb. 21 is the most serious incident of its kind leveled against a US health care organization,” said Rick Pollack, president and CEO of the American Hospital Association. Citing Change Healthcare data, Pollack said that the service processes 15 billion transactions involving eligibility verifications, pharmacy operations, and claims transmittals and payments. “All of these have been disrupted to varying degrees over the past several days and the full impact is still not known.”

Optum estimated that as of Monday, more than 90 percent of roughly 70,000 pharmacies in the US had changed how they processed electronic claims as a result of the outage. The company went on to say that only a small number of patients have been unable to get their prescriptions filled.

The scale and length of the Change Healthcare outage underscore the devastating effects ransomware has on critical infrastructure. Three years ago, members affiliated with a different ransomware group known as Darkside caused a five-day outage of Colonial Pipeline, which delivered roughly 45 percent of the East Coast’s petroleum products, including gasoline, diesel fuel, and jet fuel. The interruption caused fuel shortages that sent airlines, consumers, and filling stations scrambling.

Numerous ransomware groups have also taken down entire hospital networks in outages that in some cases have threatened patient care.

AlphV has been a key contributor to the ransomware menace. The FBI said in December the group had collected more than $300 million in ransoms. One of the better-known victims of AlphV ransomware was Caesars Entertainment and casinos owned by MGM, which brought operations in many Las Vegas casinos to a halt. A group of mostly teenagers is suspected of orchestrating that breach.

US prescription market hamstrung for 9 days (so far) by ransomware attack Read More »

ransomware-associated-with-lockbit-still-spreading-2-days-after-server-takedown

Ransomware associated with LockBit still spreading 2 days after server takedown

Biz & IT, connectwise, lockbit, ransomware, screenconnect, Security / /

LINGERING RANSOMWARE MENACE —

LockBit’s extensive reach is making complete erasure hard.

A stylized skull and crossbones made out of ones and zeroes.

Two days after an international team of authorities struck a major blow at LockBit, one of the Internet’s most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.

The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms—SophosXOps and Huntress—attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn’t immediately clear if the ransomware was the official LockBit version.

“We can’t publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown,” John Hammond, principal security researcher at Huntress, wrote in an email. “While we can’t attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Hammond said the ransomware is being deployed to “vet offices, health clinics, and local governments (including attacks against systems related to 911 systems).”

Muddying the attribution waters

SophosXOps and Huntress didn’t say if the ransomware being installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren’t part of the official operation.

“When builds are leaked, it can also muddy the waters with regards to attribution,” researchers from security firm Trend Micro said Thursday. “For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon, impersonating LockBit. The group used email addresses and URLs that gave victims the impression that they were dealing with LockBit.”

SophosXOps said only that it had “observed several LockBit attacks.” A company spokesperson said no other details were available. Hammond said the malware was “associated with” the ransomware group and wasn’t immediately able to confirm if the malware was the official version or a knockoff.

The attacks come two days after officials in the UK, US, and Europol announced a major disruption of LockBit. The action included seizing control of 14,000 accounts and 34 servers, arresting two suspects, and issuing five indictments and three arrest warrants. Authorities also froze 200 cryptocurrency accounts linked to the ransomware operation. The actions came after investigators hacked and took control of the LockBit infrastructure.

Authorities said LockBit has extorted more than $120 million from thousands of victims around the world, making it among the world’s most active ransomware groups. Like most other ransomware groups, LockBit operates under a ransomware-as-a-service model, in which affiliates share the revenue they generate in exchange for using the LockBit ransomware and infrastructure.

Given the sheer number of affiliates and their broad geographic and organizational distribution, it’s often not feasible for all of them to be neutralized in actions like the one announced Tuesday. It’s possible that some affiliates remain operational and want to signal that the ransomware franchise will continue in one form or another. It’s also possible that the infections SophosXOps and Huntress are seeing are the work of an unaffiliated group of actors with other motivations.

Besides installing the LockBit-associated ransomware, Hammond said, the attackers are installing several other malicious apps, including a backdoor known as Cobalt Strike, cryptocurrency miners, and SSH tunnels for remotely connecting to compromised infrastructure.

The ScreenConnect vulnerabilities are under mass exploitation and are tracked as CVE-2024-1708 and CVE-2024-1709. ConnectWise has made patches available for all vulnerable versions, including those no longer actively supported.

Ransomware associated with LockBit still spreading 2 days after server takedown Read More »

after-years-of-losing,-it’s-finally-feds’-turn-to-troll-ransomware-group

After years of losing, it’s finally feds’ turn to troll ransomware group

Biz & IT, hacking, lockbit, ransomware, Security, takedowns / /

LOOK WHO’S TROLLING NOW —

Authorities who took down the ransomware group brag about their epic hack.

After years of losing, it’s finally feds’ turn to troll ransomware group

Getty Images

After years of being outmaneuvered by snarky ransomware criminals who tease and brag about each new victim they claim, international authorities finally got their chance to turn the tables, and they aren’t squandering it.

The top-notch trolling came after authorities from the US, UK, and Europol took down most of the infrastructure belonging to LockBit, a ransomware syndicate that has extorted more than $120 million from thousands of victims around the world. On Tuesday, most of the sites LockBit uses to shame its victims for being hacked, pressure them into paying, and brag of their hacking prowess began displaying content announcing the takedown. The seized infrastructure also hosted decryptors victims could use to recover their data.

The dark web site LockBit once used to name and shame victims, displaying entries such as

Enlarge / The dark web site LockBit once used to name and shame victims, displaying entries such as “press releases,” “LB Backend Leaks,” and “LockbitSupp You’ve been banned from Lockbit 3.0.”

this_is_really_bad

Authorities didn’t use the seized name-and-shame site solely for informational purposes. One section that appeared prominently gloated over the extraordinary extent of the system access investigators gained. Several images indicated they had control of /etc/shadow, a Linux file that stores cryptographically hashed passwords. This file, among the most security-sensitive ones in Linux, can be accessed only by a user with root, the highest level of system privileges.

Screenshot showing a folder named

Enlarge / Screenshot showing a folder named “shadow” with hashes for accounts including “root,” “daemon,” “bin,” and “sys.”

Other images demonstrated that investigators also had complete control of the main web panel and the system LockBit operators used to communicate with affiliates and victims.

Screenshot of a panel used to administer the LockBit site.

Enlarge / Screenshot of a panel used to administer the LockBit site.

Screenshot showing chats between a LockBit affiliate and a victim.

Enlarge / Screenshot showing chats between a LockBit affiliate and a victim.

The razzing didn’t stop there. File names of the images had titles including: “this_is_really_bad.png,” “oh dear.png,” and “doesnt_look_good.png.” The seized page also teased the upcoming doxing of LockbitSupp, the moniker of the main LockBit figure. It read: “Who is LockbitSupp? The $10m question” and displayed images of cash wrapped in chains with padlocks. Copying a common practice of LockBit and competing ransomware groups, the seized site displayed a clock counting down the seconds until the identifying information will be posted.

Screenshot showing

Enlarge / Screenshot showing “who is lockbitsupp?”

In all, authorities said they seized control of 14,000 accounts and 34 servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK. Two LockBit suspects have been arrested in Poland and Ukraine, and five indictments and three arrest warrants have been issued. Authorities also froze 200 cryptocurrency accounts linked to the ransomware operation.

“At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement,” Europol officials said. “This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure, and criminal assets linked to these criminal activities.”

LockBit has operated since at least 2019 under the name “ABCD.” Within three years, it was the most widely circulating ransomware. Like most of its peers, LockBit operates under what’s known as ransomware-as-a-service, in which it provides software and infrastructure to affiliates who use it to compromise victims. LockBit and the affiliates then divide any resulting revenue. Hundreds of affiliates participated.

According to KrebsOnSecurity, one of the LockBit leaders said on a Russian-language crime forum that a vulnerability in the PHP scripting language provided the means for authorities to hack the servers. That detail led to another round of razzing, this time from fellow forum participants.

“Does it mean that the FBI provided a pen-testing service to the affiliate program?” one participant wrote, according to reporter Brian Krebs. “Or did they decide to take part in the bug bounty program? :):).”

Several members also posted memes taunting the group about the security failure.

“In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head—offering $10 million to anyone who could discover his real name,” Krebs wrote. “‘My god, who needs me?’ LockBitSupp wrote on January 22, 2024. ‘There is not even a reward out for me on the FBI website.’”

After years of losing, it’s finally feds’ turn to troll ransomware group Read More »

hackers-can-infect-network-connected-wrenches-to-install-ransomware

Hackers can infect network-connected wrenches to install ransomware

Biz & IT, hack, ransomware, Security / /

TORQUE THIS —

Researchers identify 23 vulnerabilities, some of which can exploited with no authentication.

The Rexroth Nutrunner, a line of torque wrench sold by Bosch Rexroth.

Enlarge / The Rexroth Nutrunner, a line of torque wrench sold by Bosch Rexroth.

Bosch Rexroth

Researchers have unearthed nearly two dozen vulnerabilities that could allow hackers to sabotage or disable a popular line of network-connected wrenches that factories around the world use to assemble sensitive instruments and devices.

The vulnerabilities, reported Tuesday by researchers from security firm Nozomi, reside in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B. The cordless device, which wirelessly connects to the local network of organizations that use it, allows engineers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability. When fastenings are too loose, they risk causing the device to overheat and start fires. When too tight, threads can fail and result in torques that are too loose. The Nutrunner provides a torque-level indicator display that’s backed by a certification from the Association of German Engineers and adopted by the automotive industry in 1999. The NEXO-OS, the firmware running on devices, can be controlled using a browser-based management interface.

NEXO-OS's management web application.

Enlarge / NEXO-OS’s management web application.

Nozomi

Nozomi researchers said the device is riddled with 23 vulnerabilities that, in certain cases, can be exploited to install malware. The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place. B

Bosch officials emailed a statement that included the usual lines about security being a top priority. It went on to say that Nozomi reached out a few weeks ago to reveal the vulnerabilities. “Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem,” the statement said. “This patch will be released at the end of January 2024.”

In a post, Nozomi researchers wrote:

The vulnerabilities found on the Bosch Rexroth NXA015S-36V-B allow an unauthenticated attacker who is able to send network packets to the target device to obtain remote execution of arbitrary code (RCE) with root privileges, completely compromising it. Once this unauthorized access is gained, numerous attack scenarios become possible. Within our lab environment, we successfully reconstructed the following two scenarios:

  • Ransomware: we were able to make the device completely inoperable by preventing a local operator from controlling the drill through the onboard display and disabling the trigger button. Furthermore, we could alter the graphical user interface (GUI) to display an arbitrary message on the screen, requesting the payment of a ransom. Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner.
A PoC ransomware running on the test nutrunner.

Enlarge / A PoC ransomware running on the test nutrunner.

Nozomi

  • Manipulation of Control and View: we managed to stealthily alter the configuration of tightening programs, such as by increasing or decreasing the target torque value. At the same time, by patching in-memory the GUI on the onboard display, we could show a normal value to the operator, who would remain completely unaware of the change.
A manipulation of view attack. The actual torque applied in this tightening was 0.15 Nm.

A manipulation of view attack. The actual torque applied in this tightening was 0.15 Nm.

Hackers can infect network-connected wrenches to install ransomware Read More »

alphv-ransomware-site-is-“seized”-by-the-fbi-then-it’s-“unseized”-and-so-on.

AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on.

alphv, Biz & IT, fbi, ransomware, Security, tor / /

DUELING SEIZURES —

In a bizarre twist, both groups issue dueling notices to ransomware website.

Shortly after the FBI posted a notice saying it had seized the dark-web site of AlphV, the ransomware group posted this notice claiming otherwise.

Enlarge / Shortly after the FBI posted a notice saying it had seized the dark-web site of AlphV, the ransomware group posted this notice claiming otherwise.

The FBI spent much of Tuesday locked in an online tug-of-war with one of the Internet’s most aggressive ransomware groups after taking control of infrastructure the group has used to generate more than $300 million in illicit payments to date.

Early Tuesday morning, the dark-web site belonging to AlphV, a ransomware group that also goes by the name BlackCat, suddenly started displaying a banner that said it had been seized by the FBI as part of a coordinated law enforcement action. Gone was all the content AlphV had posted to the site previously.

Around the same time, the Justice Department said it had disrupted AlphV’s operations by releasing a software tool that would allow roughly 500 AlphV victims to restore their systems and data. In all, Justice Department officials said, AlphV had extorted roughly $300 million from 1,000 victims.

An affidavit unsealed in a Florida federal court, meanwhile, revealed that the disruption involved FBI agents obtaining 946 private keys used to host victim communication sites. The legal document said the keys were obtained with the help of a confidential human source who had “responded to an advertisement posted to a publicly accessible online forum soliciting applicants for Blackcat affiliate positions.”

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa O. Monaco said in Tuesday’s announcement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

Within hours, the FBI seizure notice displayed on the AlphV dark-web site was gone. In its place was a new notice proclaiming: “This website has been unseized.” The new notice, written by AlphV officials, downplayed the significance of the FBI’s action. While not disputing the decryptor tool worked for 400 victims, AlphV officials said that the disruption would prevent data belonging to another 3,000 victims from being decrypted.

“Now because of them, more than 3,000 companies will never receive their keys.”

As the hours went on, the FBI and AlphV sparred over control of the dark-web site, with each replacing the notices of the other.

One researcher described the ongoing struggle as a “tug of Tor,” a reference to Tor, the network of servers that allows people to browse and publish websites anonymously. Like most ransomware groups, AlphV hosts its sites over Tor. Not only does this arrangement prevent law enforcement investigators from identifying group members, it also hampers investigators from obtaining court orders compelling the web host to turn over control of the site.

The only way to control a Tor address is with possession of a dedicated private encryption key. Once the FBI obtained it, investigators were able to publish Tuesday’s seizure notice to it. Since AlphV also maintained possession of the key, group members were similarly free to post their own content. Since Tor makes it impossible to change the private key corresponding to an address, neither side has been able to lock the other out.

With each side essentially deadlocked, AlphV has resorted to removing some of the restrictions it previously placed on affiliates. Under the common ransomware-as-a-service model, affiliates are the ones who actually hack victims. When successful, the affiliates use the AlphV ransomware and infrastructure to encrypt data and then negotiate and facilitate a payment by bitcoin or another cryptocurrency.

Up to now, AlphV placed rules on affiliates forbidding them from targeting hospitals and critical infrastructure. Now, those rules no longer apply unless the victim is located in the Commonwealth of Independent States—a list of countries that were once part of the former Soviet Union.

“Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere,” the AlphV notice said. The notice said that AlphV was also allowing affiliates to retain 90 percent of any ransom payments they get, and that ‘VIP’ affiliates would receive a private program on separate isolated data centers. The move is likely an attempt to stanch the possible defection by affiliates spooked by the FBI’s access to the AlphV infrastructure.

The back and forth has prompted some to say that the disruption failed, since AlphV retains control of its site and continues to possess the data it stole from victims. In a discussion on social media with one such critic, ransomware expert Allan Liska pushed back.

“The server and all of its data is still in possession of FBI—and ALPHV ain’t getting none of that back,” Liska, a threat researcher at security firm Recorded Future, wrote.

Social media post by Liska arguing the FBI maintains access to AlphV infrastructure.

Enlarge / Social media post by Liska arguing the FBI maintains access to AlphV infrastructure.

“But, hey you are correct and I am 100% wrong. I encourage you, and all ransomware groups to sign up to be an ALPHV affiliate now, it is definitely safe. Do it, Chicken!”

AlphV ransomware site is “seized” by the FBI. Then it’s “unseized.” And so on. Read More »

wolverine-developer-insomniac-games-sees-1.67tb-of-secrets-leaked-in-data-breach

Wolverine-developer Insomniac Games sees 1.67TB of secrets leaked in data breach

gaming, Insomniac Games, leak, PlayStation, ransomware, Sony / /

Ransomware —

Future Ratchet & Clank, X-Men, and Spider-Man games exposed—but it gets worse.

Wolverine sits at a bar in a game screenshot

Enlarge / An officially released image for Insomniac Games’ upcoming game Wolverine.

Acclaimed Sony-owned game development studio Insomniac Games became the victim of a large-scale ransomware attack this week, as initially reported by Cyber Daily. Ransomware group Rhysida dumped 1.67TB of data, including assets and story spoilers from unreleased games, a road map of upcoming titles, internal company communications, employees’ personal data such as passport scans and compensation figures, and much more.

The gang said it chose Insomniac because, as a large and successful studio, it made an attractive target for a money grab. The ransom was $2 million, and Insomniac refused to pay it.

As a result, a trove of emails, Slack messages, slideshow presentations, and more hit the web. Notably, these included screenshots and assets from the studio’s upcoming Wolverine game, as well as confirmation that Wolverine is planned to be the first in a trilogy of games starring X-Men characters. The materials also revealed that the company is working on another Ratchet & Clank game and a new Spider-Man sequel.

Rhysida put some of the data up for bidding by parties other than Insomniac itself, and some was sold.

Insomniac Games has an impressive history of top-selling games, particularly on PlayStation consoles. It became a household name with the Spyro the Dragon series on the first PlayStation. It went on to create and shepherd the Ratchet & Clank series on PlayStation 2, and it released several more Ratchet & Clank games on PlayStation 3, alongside a first-person shooter series dubbed Resistance.

More recently, the studio has released new Ratchet & Clank games on PlayStation 4 and PlayStation 5 and three critically acclaimed games based on Marvel’s Spider-Man. It also dabbled in VR development on the Oculus platform and released an Xbox exclusive called Sunset Overdrive before it was acquired by Sony to become a first-party PlayStation studio in August 2019.

As one of the industry’s most accomplished and successful developers, it has an enormous audience of fans who will likely avail themselves of the leaked information about upcoming titles. The leaks also expose internal company information that may be of interest to Sony’s direct competitors, such as Microsoft.

This is far from the first example of a large leak from a triple-A game developer or publisher. For example, footage of Rockstar Games’ highly anticipated Grand Theft Auto VI made its way onto the Internet last year. There was also a relatively recent high-profile leak affecting Cyberpunk 2077 and The Witcher III: Wild Hunt developer CD Projekt Red. Going back decades, there was the infamous incident of leaked Half-Life 2 source code and many more examples.

The scope of this leak is enormous even by the standards of this industry, though.

It’s important to take some of this leaked information with a grain of salt, because there is no guarantee that the information leaked is up to date. Even if it’s current now, the studio’s plans could change and evolve in the coming months and years. The fact that a new Ratchet & Clank game is planned now doesn’t necessarily mean one will be released in a few years; games are canceled all the time.

Wolverine-developer Insomniac Games sees 1.67TB of secrets leaked in data breach Read More »