Category: Ransomware

Ransomware as a Service

Software as a Service (SaaS) is common and is where companies or individuals pay a subscription to access software rather than actually buying it. This is how Microsoft 365 works – you pay a monthly or annual subscription to use Microsoft Office on your devices.

Unfortunately, criminals are now treating ransomware like this – with some criminal setups letting scammers make use of their ransomware for a subscription charge.

This makes it easier for the scammers who are less computer literate as they don’t need to make or buy the ransomware software.

The Coveware 2020 report shows that ransomware attacks have increased by 25 percent from Q4 2019 to Q1 2020. The monetary value of the average ransom payment has also increased from an average ransom of $41,198 to $84,116.

Ransomware is malware that once it gets onto a computer system encrypts information files and then issues a demand for a ransom to be paid or the decryption key to unlock those files will not be provided.

Payment is often demanded in Bitcoin or other untraceable methods.

Once infected with ransomware, it is very difficult for the victims to save their data and recently, these criminals have started to publish the information they find, onto the Internet as a way of embarrassing the owners and trying to force them to pay the ransom.

All computer systems should be protected against ransomware by the standard practices of

  1. Making regular backups of all important files
  2. Taking backups off site
  3. Keeping anti malware up to date and installed on every device.
  4. Maintain firewalls and all other protections against intrusion

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

The Please Read Me Ransomware Attack

In 2020, around 250,000 MySQL database servers were attacked in a very large scale ransomware attack.

The victims were threatened into paying a ransom or else see their confidential documents revealed to the public.

The campaign has been known as “Please_Read_Me,”

Two variants of this attack were seen in 2020. The first was the standard encrypt the files and then demand payment in Bitcoin payment for the decryption key and the second included the use ‘leak’ web sites to publish documents until the ransom is paid.

How This Happens

How This Happens

MySQL is a database management system.

The attack starts by finding those databases with Internet access and tries every password in the dictionary and all common passwords to see if it can login successfully.

If successful, then the attack runs a series of database queries to determine the contents, then zips the data and sends it to the scammer. It then renders the user’s database unusable by deleting all data.

Ransom notes are then left on the user computers and they must pay in Bitcoin to regain access to their data.

Read the full Guardicore Labs write-up for more details at www.guardicore.com/labs/please-read-me-opportunistic-ransomware-devastating-mysql-servers/

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

 

Conti Ransomware

Ransomware is where malware infects a computer system and encrypts the files then demands a ransom for the unlock key.

These criminals typically target larger companies but it can happen to anyone, including private citizens.

The criminal organisers of Conti have created a paid service whereby criminals have access to the relevant malware and means of attack and Conti run the ransomware leak site and extortion.

It is easily identified, as during the encryption process, all files encrypted are changed to a “.conti” file extension.

So, Conti is a set of tools to make it easy for other criminals to run these extortion operations on a large scale.

Once the encryption has completed a file named conti.txt is left on the relevant computer desktops.

The message states that files been encrypted and that payment is required to release them. It also warns the computer users must not try to decrypt the files themselves.

If the victim pays, then sometimes the decryption key is provided and other times nothing further is heard from the criminals, leaving the victim without their files.

If organisations and individuals follow best practice and keep copies elsewhere of their important files, then getting their data back may just be an inconvenience but if there are no other copies of the data then it can be a big loss and this can lead to customer’s losing trust and moving their business elsewhere.

Recently Conti has also moved to the use of leak sites.

In these cases Conti start to publish the victim’s documents publicly – anything that could be damaging to them.

Recently, Conti added the Scottish Environment Protection Agency (SEPA) to its list of victims and they published various documents from SEPA.

The Conti malware typically gets into the victim’s computers as a PDF document opened by someone on their email. The malware then spreads itself around the organisation and starts to encrypt data.

All organisations and users must backup all important documents and data as that is the safest way to avoid being struck down by such an attack.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

Ransomware Attack on Scottish Environmental Agency

The Scottish Environmental Protection Agency was struck by a ransomware attack on Christmas Eve 2020 that shut down its internal networks.

This affected a major part of its systems including the contact centre, many internal systems, processes and internal communications.

Some experts believed that the attack had all the hallmarks of Russian organized cybercriminals, but that wasn’t proved.

A significant amount of data was stolen which included business information, procurement information, commercial operations and employee data.

The attack used Conti malware and some 20 files of confidential data was leaked on a Conti leaks site to push SEPA into paying the ransom.

SEPA involved the Police, the Scottish government, the National Cyber Security Centre and recovery experts to assist with removing the ransomware from their systems and recovering as much of their data as could be done.

SEPA prioritised the services most needed by the public and it took weeks for them to get back to fairly normal operations.

It is believed that they did not pay any ransom.

The lesson is clear – take better cyber precautions and always have off-site backups of everything important.

If you have any experiences with this ransomware do let me know, by email.

Fightback Ninja Signature

Man United Ransomware Attack

Manchester United football club experienced a ransomware attack in late 2020. They were held to ransom for millions of pounds by cyberhackers who targeted the club’s computer systems and demanded payment to stop them from releasing sensitive data.

It is a difficult decision for any business – pay up or risk seeing highly sensitive information being wiped out or leaked into the public domain.

The club were clear from the start that the attack was very serious but it did not impact on their schedule of matches.

United brought in a team of technical experts to contain the attack and they informed the Police and the National Cyber Security Centre (NCSC).

The NCSC revealed that in 2019 an English Football league club was hit with a £5m ransomware demand. They were unable to access their CCTV or use entry turnstiles, but its’s not believed that they paid anything.

It took weeks of effort to get things back to normal following the attack and United could face fines of up to £18 million or two per cent of their total annual worldwide turnover from the Information Commissioner’s Office if the attack is found to have breached their fans’ data protection.

The NCSC has previously warned that there is a growing threat to sports clubs.

It took roughly 2 weeks for United IT staff and outside experts to regain control of the situation. It is believed they did not pay the attackers.

The episode was embarrassing for United and they are still under investigation by the Information Commissioner’s Office.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature

The Database Ransomware Attack

A standard ransomware attack is where someone claims to have hacked your computer systems and has access to your private or business documents, photos etc. and will make them public unless you pay a ransom or has encrypted your files and will only decrypt them at a cost.

That ransom is usually payable in Bitcoin as such payments cannot be tracked or reversed.

This variant of the scam is about databases.

The blackmailer claims to the radio station to have hacked our website and copied the databases then threatens the following, unless we pay $3,000 in Bitcoin within 5 days.

  • To sell the databases to the highest bidder
  • To publish all emails they have found
  • To attack any of our customers and associates they have details for
  • To delink any links we have setup
  • To damage our reputation any way they can

The whole message seems to be one of desperation.

It is all fake of course. Just idle threats in the hope that someone will feel vulnerable enough to pay up.

The message consists of generalities and threats – there is nothing to show that an actual hack has taken place.

If you receive ransom demands of this kind, they are almost always entirely fake.

A real hacker would contact you directly and show evidence of hacked data or documents.

If you’ve experienced a real hack – do let me know by email.

Fightback Ninja Signature