With much focus on ransomware in recent weeks, it seems prudent to continue including some of the more notable developments for awareness. Today’s roundup includes threats, incidents, musings, and recent response guidance resources.
Threats
Cl0p, Down but not Out. Despite recent arrests of the Cl0p ransomware gang, after a brief respite Cl0P is back and listing victims on its leak site. This is often the case with malware groups, unless they are beheaded by law enforcement actions, activity is merely halted for a short time. Read more at BleepingComputer.
REvil Twin? Not likely. It’s looks like just another case of no honor among thieves, as it seems the LV ransomware gang hijacked and modified code belonging to REvil/Sodinikibi group. According to Secureworks, despite the blatant copy-paste job that allowed LV to gain access to a top-tier ransomware payload with almost zero development costs, the gang is not on par with the REvil gang in terms of its backend infrastructure. Read more at The Record.
A Bizarre Call. Microsoft Security Intelligence is currently tracking BazarCall (or Bazacall), a criminal group that's using call centers to infect PCs with malware called BazarLoader – a malware loader that's been used to distribute ransomware. BazaCall campaigns are reportedly using emails to lure recipients to call a number to cancel their supposed subscription to a certain service. For more, check out the post at ZDNet.
Incidents
Update on the City of Tulsa. The Conti group has publicly released data stolen from the City of Tulsa during last month’s ransomware attack. According to authorities, the stolen data is personally identifiable information obtained through the release of police citations. The original attack in May disrupted Tulsa's online bill payment systems, utility billing, and email, as well as the websites for the City of Tulsa, the Tulsa City Council, Tulsa Police, and the Tulsa 311. Thus far, Tulsa has refused to negotiate any ransom. SecurityWeek has more.
Utah Water District Experiences Ransomware Attack. The FBI and DHS are currently investigating a ransomware attack at the Mountain Regional Water District. Scott Morrison, the district’s general manager stated that the attack at no point threatened public health or safety, nor did it gain access to private customer data or credit card information. He also said they wouldn’t be paying any ransom, stating, “Thankfully, we’re not in a position where we had to pay it, and we just severed that equipment (from the system).” Read more at the ParkRecord.
General Musings/Awareness
An Overview of Ransomware Groups and Tactics. While we’ve covered various groups and evolving tactics many times, Flashpoint has an interesting overview/reminder of some of the activity. The post discusses, ten ransomware groups that add nearly six new victims every day and “If at First Ransomware Doesn’t Succeed, Try, Try Again (with Other Cyber Extortion Methods).” Visit Flashpoint-Intel for more.
Big Game Prizes Result in Fewer Attacks. A recent report by McAfee highlights that ransomware declined by 50% in Q1 due in part to a shift by attackers from broad campaigns attacking many targets with the same samples to campaigns attacking fewer, larger targets with unique samples. But why does it seem like there are more attacks? Perhaps McAfee’s observation of an overall increase in attack reporting across multiple sectors during the first quarter of 2021 can account for that. Check out more findings at HelpNetSecurity.
An International Problem Requires an International Response. ZDNet security journalist, Danny Palmer, posts a rather comprehensive and interesting piece on this global cyber scourge. Some commentary is reminiscent of and mildly contrary to some comments during yesterday’s WaterISAC Cyber Threat Briefing. Please visit ZDNet for more.
For $40 Million, What is “We’re from the FBI and We’re Here to Help, Alex?” According to The Hill report, FBI Director Christopher Wray on Wednesday told a Senate panel that a request for a $40 million increase in its cybersecurity budget for the upcoming fiscal year would go in part towards combating increasing and damaging ransomware attacks. Read more at TheHill.
Recently Released Response/Resilience Resources