17-Year-Old Arrested in Connection with Cyber Attack Affecting Transport for London
British authorities on Thursday announced the arrest of a 17-year-old male in connection with a cyber attack affecting Transport for London (TfL).
“The 17-year-old male was detained on suspicion of Computer Misuse Act offenses in relation to the attack, which was launched on TfL on 1 September,” the U.K. National Crime Agency (NCA) said.
The teenager, who’s from Walsall, is said to have been Read More
Hackers Impersonating as Security Researcher to Aid Ransomware Victims
Hackers impersonate security researchers to exploit trust and credibility. By posing as legitimate figures in the cybersecurity community, they:
Gain access to sensitive information
Manipulate victims into compromising actions
Enhance the success of their malicious activities while evading suspicion
Cybersecurity researchers at Arctic Wolf Labs recently discovered that hackers are actively impersonating security researchers to aid ransomware victims.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Technical Analysis
Arctic Wolf Labs researchers found ransomware victims getting extorted again, with fake ‘helpers’ promising to delete stolen data.
They posed as security researchers in two cases, offering to hack the original ransomware group’s servers. This is the first known case of a threat actor pretending to be a legitimate researcher and offering to delete hacked data from another ransomware group.
Despite different personalities, the security analysts believe it’s likely the same actor behind both extortion attempts.
Despite appearing distinct, both cases share key elements. Analyzing their communication styles revealed clear similarities.
Besides this, the unique aspects include the following:
Low ransom demands
Masquerading as a legit researcher
Offering data deletion to prevent future attacks
Cases
Here below, we have mentioned the two cases that the cybersecurity researchers identified:
Case 1 – Royal Ransomware Compromise and Ethical Side Group Data Deletion Extortion: In this case, the Ethical Side Group (ESG) told a Royal ransomware victim in October 2023 via email that they had victim data taken by Royal. In 2022, Royal said they deleted it, but ESG falsely blamed TommyLeaks. ESG offered to hack and delete the data from Royal’s server for a fee.
Case 2 – Akira Ransomware Compromise and xanonymoux Data Deletion Extortion: In this case, an entity claiming to be “xanonymoux” told an Akira ransomware victim in November 2023 they had the exfiltrated data Akira denied having. That’s why xanonymoux offered its help to delete the data or grant server access, alleging Akira’s link to the Karakurt extortion group.
Common Threat Actor Behaviors
Here below, we have mentioned all the common threat actor behaviors:
Acting in the role of a security researcher
Defended the right to inspect the computer infrastructure that houses data compromised in the past
Exchanged messages over Tox
Provided as a means of establishing jurisdiction over stolen information
Potential for such attacks in the future due to unresolved security concerns
Quantity of data that was previously extracted
Minimum required payment amount (<= 5 BTC)
ten terms that appear in both the body of the email and the header
Use of file.io to prove victim data access
Decrypting the complicated world of ransomware, RaaS affiliates juggle multiple encryption payloads.
Uncertainty persists about group sanctioning in follow-on extortion. Beware of relying on criminal enterprises to delete data post-payment.
After analyzing the similarities found in the documented cases, Researchers reasonably conclude that a single threat actor has been targeting organizations previously affected by Royal and Akira ransomware attacks. This conclusion is made with a moderate level of confidence. Nevertheless, it remains uncertain if the original ransomware groups authorized the subsequent instances of extortion or if the threat actor operated independently to obtain more funds from the targeted organizations.
Cyberespionage by several intelligence services, some of contracted out. Developments in the cyber underworld. Vulnerabilities reported in CPUs. Some notes on Patch Tuesday.
Reports of a Wide-ranging cyberespionage campaign by China’s Ministry of State Security. EvilProxy phishing tool targets executives, and defeats multifactor authentication. Vulnerabilities in CPUs. Yashma ransomware targets a wide range of countries. MacOS threat trends. Is there a Russian attempt to disrupt British elections? Rob Boyce from Accenture checks in from the Black Hat conference. Maria Varmazis talking with Black Hat Aerospace Village’s Kaylin Trychon and Steve Luczynski. Ukraine claims to have stopped a Russian spyware campaign. And Patch Tuesday has come and gone, but the vulnerabilities remain–unless, of course, you’ve applied the patches. Read More
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.