New variants, fake security updates, and crowdsourcing innovations for ransomware as a service have taken center stage in ransomware news over the past week.
Fake security updates used to spread Magniber ransomware
Magniber ransomware targets Windows home users, hiding in fake security updates.
Fake antivirus and security updates for Windows 10 are offered through web pages that attackers set up. When the unsuspecting home user downloads what they think are updates via a ZIP file, they are actually downloading malicious JavaScript along with file-encrypting malware.
Threat actors demand payment up to $2500 for home users to decrypt and recover their files.
Magniber has been around since at least early 2022. It has used Chrome and Edge browser updates in the past. The new threat posing as Windows Updates was identified by HP Wolf Security in September and there is an article with more details on their site.
In its previous incarnations, Magniber used MSI and EXE files. More recently, it seems to have switched to JavaScript as the delivery mechanism.
With home users the target, with remote work still prevalent, the ability to use home offices as an attack surface should be a strong reason for companies to strengthen the way home users can protect themselves.
First of all, of course, you should never download software updates from anything other than truly trusted sources. Secondly, home users should take regular backups and keep them on an offline storage device. Users should also be warned to check their computer and backups for infection before restoring their data.
Prestige ransomware surfaces in Ukraine and Poland
Microsoft revealed that this new ransomware named Prestige is used to target transport and logistics organizations in Ukraine and Poland. The new variant was first used in October 2022 in attacks detected within hours of each other.
The Microsoft Security Threat Intelligence Center (MSTIC) said Prestige “was not observed by Microsoft prior to this deployment.”
Russian state-aligned activity is the obvious suspect, given current goals. MSTIC reports that the targets overlap with previous victims of FoxBlade (aka HermeticWiper) malware. Hermetic Wiper was first seen deployed against Ukrainian organizations at the time of the invasion of Ukraine.
MSTIC has not yet identified with certainty the threat actor behind the attacks. They note in the announcement that “this activity was not related to any of the 94 currently active ransomware activity groups tracked by Microsoft. Prestige ransomware was not observed by Microsoft prior to this deployment.
Redmond is working to notify all customers who have been compromised and whose systems have been encrypted with this ransomware.
LockBit ransomware is the “most active extortion group”
The ransomware-as-a-service operation of the LockBit ransomware gang has achieved dubious status as the most prolific group in the past month. According to an article in the web newspaper The Record, it was the “most active online extortion group”.
The group took the top spot from the Conti gang after Conti destroyed most of its infrastructure in May. Cybersecurity experts believe Conti split into small groups to avoid detection.
According to data from research group Recorded Future, LockBit was identified in more than 80 attacks in August, which would bring its total number of victims to more than 1,100. These ranged from attacks on medical infrastructure to industrial systems.
Recorded Future also reported that the group launched a new version called LockBit 3.0 in June that included “technical improvements and a bug bounty program that offered rewards for ways to improve their ransomware operation.”
Bug bounty programs are operated by almost all major software companies as a tried and tested means of detecting defects in their products. LockBit went even further, apparently looking for ways to make improvements to their “product”.
Mike Parkin, senior technical engineer at Vulcan Cyber, is quoted in The Record as saying “they (LockBit) took a page straight from the development manual of a mature organization. If it works for a major player like Microsoft, Google or Apple , why wouldn’t it work for a criminal gang if they have both the maturity and the resources to do it?”
#Week #Ransomware #Friday #October #World #News #Canada