Search results for: ransomware

On March 12, 2025, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center to advise companies about the tactics, techniques and procedures (TTPs), and indicators of compromise (IOCs) to protect themselves against Medusa ransomware.

According to the advisory:

Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.

The advisory provides technical details on how Medusa gains access to systems, including phishing campaigns as the primary method for stealing credentials. The group also exploits unpatched software vulnerabilities, which reinforces the importance of timely patching.

The threat actors exfiltrate the victim’s data and then deploy the encryptor, gaze.exe, on files while disabling Windows Defender and other antivirus tools. The encrypted files use the .medusa file extension. They then contact the victim within 48-hours and use the .onion data leak site for communication.

The advisory lists the IOCs and TTPs used in the attacks. IT professionals may wish to review them and apply mitigation tactics. The mitigations listed in the advisory are lengthy and worth consulting.

The Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center released an advisory on February 19, 2025, providing information on Ghost ransomware activity.

According to the advisory, “Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services.” They use publicly available code to exploit Common Vulnerability Exposures (CVE) that have not been patched. The CVEs used by Ghost include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.

The advisory urges organizations to:

  1. Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
  2. Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
  3. Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
  4. Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.

The advisory details how Ghost (Cring) is gaining initial access, executing applications, escalating privileges, obtaining credentials, evading defenses, moving laterally, and exfiltrating data. It also provides indicators of compromise and email addresses used by the threat actors.

Patching continues to be a crucial block-and-tackle technique, and timely patching is critical for mitigating exploitation. Blocking known malicious emails is a proven tactic to mitigate access. Review the advisory to ensure the applicable patches have been applied and the malicious emails associated with Ghost have been blocked.

Unfortunately, I’ve had unpleasant dealings with the Phobos ransomware group. My interactions with Phobos have been fodder for a good story when I educate client employees on recent cyber-attacks to prevent them from becoming victims. The story highlights how these ransomware groups, including Phobos, are sophisticated criminal organizations with managerial hierarchy. They use common slang in their communications and have to get “authority” to negotiate a ransom. It’s a strange world.

Because of my unpleasant dealings with Phobos, I was particularly pleased to see that the Department of Justice (DOJ) recently announced the arrest and extradition of Russian national Evgenii Ptitsyn on charges that he administered the Phobos ransomware variant.

This week, the DOJ unsealed charges against two more Russian nationals, Roman Berezhnoy and Egor Nikolaevich Glebov, who “operated a cybercrime group using the Phobos ransomware that victimized more than 1,000 public and private entities in the United States and around the world and received over $16 million in ransom payments.” They were arrested “as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure.” I’m thrilled about this win. People always ask me whether these cyber criminals get caught. Yes, they do. This is proof of how important the Federal Bureau of Investigation (FBI) is in assisting with international cybercrime, and how effective its partnership with international law enforcement is in catching these pernicious criminals. This is why I firmly believe that we must continue to share information with the FBI to assist with investigations, and why the FBI must be allowed to continue its important work to protect U.S. businesses from cybercrime.

The city of Columbus, Ohio, announced on May 29, 2024, that a ransomware attack forced its systems offline. According to its notice, the attack was perpetrated by “an established, sophisticated threat actor operating overseas,” and that it was working with law enforcement to investigate the incident.  The culprit behind the ransomware attack is reported to be Rhysida.

According to Security Week, the ransomware group posted the city’s data on the dark web, including individuals’ names, addresses, dates of birth, bank account information, driver’s license information, Social Security numbers, and other identifying information. Columbus reported to the Maine Attorney General that it is notifying 500,000 individuals that their personal information was affected by the incident, and is offering those who are affected 24 months of credit monitoring and dark web monitoring.

Unit 42 recently reported that it has identified “Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People’s Army, as a key player in a recent ransomware incident.” Its investigation indicates “with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).” Jumpy Pisces has previously engaged in cyberespionage, financial crime, and ransomware attacks and was behind the ransomware known as Maui.

Unit 42 states that this is the “first observed instance” of Jumpy Pisces using an existing ransomware infrastructure that “signals deeper involvement in the broader ransomware threat landscape.”

According to Unit 42, “We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.”

Unit 42 provides the attack methods, timeline of events, threat actor tooling, collaborations with Play ransomware, indicators of compromise, and resources for organizations to use to protect against these threats.

The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a settlement with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them.

This is the fourth settlement against a victim of a ransomware attack. According to the OCR’s press release, “Ransomware and hacking are the primary cyber-threats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.”

The OCR’s investigation found that 291,000 files were affected by the attack. During its investigation, it alleges that Cascade potentially violated HIPAA by failing to conduct a risk analysis and to have sufficient monitoring of its systems to prevent a cyber-attack.

The settlement is a stark reminder to covered entities and business associates that even if you are a victim of a criminal attack, you are still required to follow HIPAA. Having a robust HIPAA compliance program in place is essential to protecting against threats and possible enforcement actions. Many HIPAA-regulated entities are reviewing their HIPAA compliance programs at this time to address the recent amendment to HIPAA regarding reproductive health information. For instance, Notice of Privacy Practices are required to be updated by December 2024. Now is the time to review and update your HIPAA compliance program.

The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3) issued a joint alert on August 28, 2024, warning U.S.-based organizations that cyber actors, “known in the private sector as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm,” are targeting and exploiting U.S. organizations “across multiple sectors.” Those sectors include “education, finance, healthcare, and defense sectors as well as local government entities.”

The FBI has assessed that these cyber actors are “connected with the Government of Iran (GOI) and linked to an Iranian information technology (IT) company. Their malicious cyber operations are aimed at deploying ransomware attacks to obtain and develop network access. These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware.”

The alert outlines the tactics, techniques, and procedures used by the threat actors and the indicators of compromise. The alert recommends that organizations follow the mitigations provided in the alert to defend against the activity.

Dragos issued its Industrial Ransomware Analysis for Q2 on August 14, 2024. The analysis shows that ransomware attacks significantly increased in Q2, with many ransomware groups disrupted by law enforcement rebranding themselves into new groups. For instance, BlackCat became inactive in March 2024 after being targeted by law enforcement in late 2023 but “recalibrated their strategies, substantially increasing incidents.” In addition, the Knight ransomware group rebranded itself as RansomHub and Royal ransomware was rebranded to BlackSuit.

Critical industrial operations were the prime target of the ransomware groups. According to Dragos, “[T]his quarter saw a significant rise in the frequency and severity of attacks, reflecting the evolving threat landscape and the persistent risk posed by ransomware groups.” The report notes that these attacks have caused significant operational disruptions to this important sector.

For the manufacturing sector, the construction industry was the most affected, representing 67% of all ransomware incidents in Q2. The most prominent culprits were: BlackBasta; 8Base; Akira; BlackSuit; MedusaLocker; Hunters International; Cactus; RansomHub; and Qilin. New threat actors on the scene that attacked victims in Q2 that were not observed in Q1 include: RA Group; Dragonforce; Ransomhouse; Team Underground; Brain Cipher; Red Ransomware; MetaEncryptor; Cloak; D_Nut_Leaks; BlackByte, Everest; and Monti.

The bad news from the report is that ransomware continues to be a significant threat to the industrial sector, and “ransomware groups demonstrated a significant capacity for adaptation, with some groups rebranding and others emerging with new tactics and techniques.” This will lead to “the introduction of new ransomware variants and increasing coordinated campaigns targeting industrial sectors” despite law enforcement disruptions. The battle against ransomware groups and their ever-evolving tactics is far from over. The relentless efforts of staying ahead of these groups is akin to a game of Whac-A-Mole.

The city of Columbus, Ohio, announced on May 29, 2024, that it was forced to take its systems offline due to a ransomware attack. According to its notice, the attack was perpetrated by “an established, sophisticated threat actor operating overseas,” and that it was working with law enforcement to investigate the incident.

According to Security Week, the Rhysida ransomware group has claimed responsibility. In November 2023, CISA, FBI and MS-ISAC released an advisory on Rhysida. Although the Advisory does not attribute the cybercriminals behind Rhysida to a particular country, most Ransomware-as-a-Service gangs operate out of Russia, North Korea, or China.

The incident occurred when a city employee became a victim of a phishing email and downloaded a file from a malicious website. The city is determining what data was included in the incident and will provide notice to those affected.

We previously reported on the concerning mash-up of worldwide cybercriminals, known as Scattered Spider, working together to attack victims.

New reports from Microsoft and others indicate that since the second quarter of 2024, Scattered Spider is now using RansomHub and Qilin ransomware against victims. Scattered Spider is suspected of attacking hundreds of organizations since its inception in 2022 with BlackCat ransomware.

Scattered Spider’s addition of RansomHub and Qilin is quite concerning, as both have been attributed to high-profile ransomware attacks against hundreds of companies. Accessing Microsoft’s Threat Intelligence blog provides an additional resource to stay on top of the newest threats impacting organizations.