The operators of the ransomware Ragnar Locker published on their “leak site” the data stolen from the police unit of the Belgian province of Antwerp. The problem is that the hackers believed that they had compromised the municipality of the city of Zwijndrecht, and the law enforcement officers were hacked by accident.

Let me remind you that we also wrote that BlackCat ransomware gang publishes leaked data on the clear web site, and also that List of suspects in terrorism that are monitored by the FBI leaked to the network.

The Belgian media have already called this leak one of the largest in the history of the country, as it affected all Zwijndrecht police data from 2006 to September 2022.

The Bleeping Computer writes that among the published data, you can find thousands of license plates, crime reports, personnel data, investigation reports and much more. Unfortunately, such a leak could reveal the identities of the people who reported the crimes, as well as jeopardize ongoing law enforcement operations and investigations.

At the same time, the Zwijndrecht police report on social networks that hackers gained access only to that part of the network where administrative data was stored, and the employees themselves were the first to suffer from the attack.

Zwijndrecht police chief Marc Snels told local media that the data breach was due to human error and all those affected are already being notified of the incident.

It is known that the Belgian prosecutor’s office has already opened a criminal case in connection with this hack.

At the same time, Bleeping Computer notes that, according to Belgian journalists, the attackers targeted a poorly protected Citrix endpoint and penetrated the police network through it. Investigators also found that among the “leaked” data there are metadata of subscribers of telecommunication services and SMS messages of people who are under a secret police investigation. The files also contain traffic cam footage revealing the whereabouts of specific people at specific dates and times.

This is not the first such incident. For example, Techcrunch reported that Hackers have stolen personal data of about 4,000 American federal agents and police servicemen and uploaded it on the Internet.

The post Ragnar Locker Ransomware Accidentally Attacked Belgian Police appeared first on Gridinsoft Blog.

Let me remind you that we talked that Microsoft Links Hacker Group Vice Society to Several Ransomware Campaigns (including using Zeppelin malware), and also that Azov Ransomware Tries to Set Up Cybersecurity Specialists.

The publication Bleeping Computer says that the authors of this decoder were specialists from the consulting information security company Unit221b. Back in 2020, they prepared a report on vulnerabilities in the ransomware, but eventually delayed its publication so that attackers would not know about the possibility of free file decryption.

Unit221b experts decided to try to hack Zeppelin when it was discovered that malware operators were attacking charitable and non-profit organizations and even homeless shelters.

Starting with a 2019 BlackBerry Cylance report, the researchers found that Zeppelin uses an ephemeral RSA-512 key to encrypt an AES key that blocks access to encrypted data. At the same time, the AES key was stored in each encrypted file, that is, cracking the RSA-512 key would allow decrypting the data and not paying a ransom to attackers.

How Zeppelin encryption works

While working on this version, the experts found that the public key remains in the registry of the infected system for about five minutes after data encryption is completed. We managed to extract it by “cutting” it from the file system, Registration.exe memory dumps and directly from NTUSER.Dat in the /User/[user_account]/ directory.

An Obfuscated key

The resulting data was obfuscated using RC4, and to deal with this problem, the experts used the power of 800 CPUs on 20 servers (each with 40 CPUs on board), which eventually cracked the key in six hours. After that, it remained only to extract the AES key from the affected files.

Unit221b founder Lance James told reporters that the company has now decided to go public with the details of the work done, as the number of Zeppelin victims has dropped significantly in recent months. The last major campaign using this ransomware was the attacks by the Vice Society, which abandoned Zeppelin a few months ago.

According to James, the data decryption tool should work even for the latest versions of Zeppelin and will be available to all victims free of charge, upon request.

Emsisoft, who often release their own free decryptors, told reporters that the need for a lot of computing power to recover keys, unfortunately, hinders the creation of a free tool for companies.

The post Security Experts Secretly Helped Zeppelin Ransomware Victims for Two Years appeared first on Gridinsoft Blog.

Let me remind you that last month, Cisco representatives confirmed that back in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain.

Then the company emphasized that the hackers did not steal anything serious at all, they only managed to steal non-confidential data from the Box folder associated with the hacked employee account.

The hackers themselves contacted Bleeping Computer and told reporters that they had stolen 2.75 GB of data from the company (approximately 3,100 files), including source codes and secret documents. According to journalists, many of the files were non-disclosure agreements, data dumps and technical documentation.

For example, the attackers gave the publication a redacted version of the agreement and showed a screenshot of the VMware vCenter admin console at the cisco.com URL. The screenshot showed numerous virtual machines, including one called GitLab and used by the Cisco CSIRT.

At the same time, Cisco continued to claim that the company has no evidence that the source code was stolen.

Let me remind you that we also reported that Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp.

As Bleeping Computer now reports, Yanluowang members have begun leaking stolen data on the dark web. Against this background, Cisco finally confirmed the data leak, but the company continues to insist that this incident did not affect the business in any way, and the leak of information does not change the initial assessment of the incident.

I note that at the end of August, cybersecurity analysts from eSentire published a report in which they presented evidence of a possible connection between the Yanluowang group and the well-known Russian-speaking hack group Evil Corp (UNC2165).

The post Ransomware publishes data stolen from Cisco appeared first on Gridinsoft Blog.

Let me remind you that we also reported that Hackers Launched LockBit 3.0 and Bug Bounty Ransomware, and also that Experts Find Similarities Between LockBit and BlackMatter.

Let me remind you that Entrust was hacked back in June 2022. Then the company confirmed to the media that Entrust was subjected to a ransomware attack, during which data was stolen from its systems. Then, the site that the LockBit hack group uses to “leak” data has a section dedicated to Entrust. The attackers said they were going to publish there all the information stolen from the company. Usually, such actions mean that the victim company has refused to negotiate with the extortionists or comply with their demands.

However, shortly after the publication of the data, the Tor site of the hackers went down, and the group reported that it had been subjected to a DDoS attack precisely because of the Entrust hack. The fact is that DDoS is accompanied by messages: “DELETE_ENTRUSTCOM_MOTHERFUCKERS”.

As Bleeping Computer journalists now write, a group representative known as LockBitSupp announced that the group is back in operation with a more serious infrastructure, and now the data leak site is not afraid of DDoS attacks.

Moreover, the hackers said they took this DDoS attack as an opportunity to learn triple extortion tactics that could be useful for them in the future. Indeed, with the help of DDoS attacks, can be put additional pressure on victims to pay a ransom (in addition to data encryption and threats to publish stolen information in the public domain).

LockBit also promised to distribute all the data stolen from Entrust via a 300 GB torrent so that “the whole world will know your secrets.” At the same time, a representative of the group promised that at first the hackers would share Entrust data privately with anyone who contacts them. Journalists note that over the weekend, LockBit has already released a torrent called “entrust.com”, containing 343 GB of information.

When it comes to protecting against DDoS attacks, one of the methods already implemented by hackers is the use of unique links in ransom notes. “The function of randomizing links in locker notes has already been implemented, each assembly of the locker will have a unique link that dudoser will not be able to recognize,” LockBitSupp says.

The hackers also announced an increase in the number of mirrors and backup servers, and also plan to increase the availability of stolen data by publishing it on the regular Internet and using “bulletproof” hosting for this.

The post The LockBit Group Is Taking on DDoS Attacks appeared first on Gridinsoft Blog.

MalwareHunterTeam, an information security expert, was the first to notice the new malware, posting screenshots from the group’s dark web site on Twitter.

Let me remind you that we also wrote that Information Security Experts Told About The Linux Malware Symbiote That Is Almost Undetectable.

The new ransomware was named RedAlert because of the string the hackers used in the ransom note.

The attackers themselves call their malware N13V, writes Bleeping Computer.

The Linux version of the ransomware is reportedly targeted at VMware ESXi servers and allows attackers to shut down any active virtual machines before encrypting files.

The researchers say that during file encryption, the ransomware uses the NTRUEncrypt algorithm, which supports different “option sets” that provide different levels of security. It is noted that in addition to RedAlert, this algorithm uses only the FiveHands encryptor.

Another interesting feature of RedAlert is the “-x” command line option, which is responsible for “testing the performance of asymmetric encryption” using various sets of options. It is not yet clear whether there is a way to force a certain parameter during encryption, or whether the ransomware chooses the most effective one on its own.

During file encryption, the malware only targets files associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and so on: .log, .vmdk, .vmem, .vswp, and .vmsn. The malware adds the .crypt[number] extension to these files.

The payment site that victims are sent to via a ransom note is broadly similar to other ransomware sites in that it displays a ransom note and allows negotiating with the attackers. At the same time, the hackers emphasize that they only accept Monero cryptocurrency for payment.

Although experts only discovered a ransomware targeting Linux, there are hidden elements on the group’s website, judging by which decryptors for Windows also exist.

So far, the RedAlert website contains data of only one attacked organization, that is, the malware is just starting its “work”.

The post New RedAlert Ransomware Targets Windows and Linux VMware ESXi Servers appeared first on Gridinsoft Blog.

The Bleeping Computer reports that it has already studied the archive published by the attackers and confirms that the decryptors are real and really help to decrypt the affected files.

Let me remind you that we also said that Free decryptor for BlackByte ransomware was published, and also that Cybersecurity specialists released a free decryptor for Lorenz ransomware.

Journalists note that they tested only one decryptor, which successfully decrypted files blocked during one of the AstraLocker campaigns. The other decryptors in the archive are apparently designed to decrypt files damaged during previous campaigns.

Archive content

The journalists also managed to get a comment from one of the malware operators:

Although the malware developer did not say why AstraLocker suddenly stopped working, journalists believe that this may be due to recently published reports by security experts who studied the malware. This could bring AstraLocker to the attention of law enforcement.

Emsisoft, a company that helps ransomware victims recover data, is currently developing a universal decryptor for AstraLocker, which should be released in the near future.

What will we no longer see in the criminal world?

Threat intelligence firm ReversingLabs recently reported that AstraLocker used a somewhat unusual method of encrypting its victims’ devices compared to other strains of ransomware.

Instead of first compromising the device (hacking it or buying access from other attackers), the AstraLocker operator will directly deploy the payload from email attachments using malicious Microsoft Word documents.

The honeypots used in the AstroLocker attacks are documents that hide an OLE object with a ransomware payload that will be deployed after the target clicks “Run” in the warning dialog displayed when the document is opened.

Before encrypting files on a compromised device, the ransomware will check to see if it is running on a virtual machine, terminate processes, and stop backup and antivirus services that could interfere with the encryption process.

Based on analysis by ReversingLabs, AstraLocker is based on the leaked source code of Babuk Locker (Babyk) ransomware, a buggy yet still dangerous strain that came out in September 2021.

Also, one of the Monero wallet addresses in the AstraLocker ransom note was also linked to the operators of the Chaos ransomware.

The post AstraLocker Ransomware Operators Publish File Decryption Tools appeared first on Gridinsoft Blog.

Bleeping Computer recalls that LockBit appeared in 2019 and has since become one of the most active threats, accounting for about 40% of all ransomware attacks in May 2022.

You might also be interested in: Conti vs. LockBit 2.0 – a Trend Micro Research in Brief.

Journalists say that over the weekend, the group released an updated version of its RaaS malware (LockBit 3.0), which hackers have been beta testing for the past few months. At the same time, it is noted that the new version of the malware has already been used in attacks.

Also, along with the release of a new version of the ransomware, the hackers also introduced their own bug bounty program.

It is easy to guess how exactly the hackers intend to use the vulnerabilities acquired in this way. In addition, the group offers rewards not only for bugs, but also for “brilliant ideas” to improve the work of their ransomware, as well as for doxing the head of their own affiliate program. The Hackers website lists the following categories of awards.

1. Site errors: XSS vulnerabilities, MySQL injections, shells and more will be charged based on the severity of the error. The main vector is getting a decoder through bugs on the site, as well as gaining access to the history of correspondence with encrypted companies.
2. Locker Errors: Any encryption errors resulting in file corruption or the ability to decrypt files without a decryptor.
3. Brilliant Ideas: We pay for ideas. Please write how we can improve our website and software, the best ideas will be rewarded. What is interesting about our competitors that we do not have?
4. Doxing: We will pay exactly one million dollars, no more and no less, for doxing the affiliate boss. It doesn’t matter if you are an FBI agent or a very smart hacker who knows how to find anyone, you can write to us on TOX messenger, tell us the name of the boss and get a million dollars in Bitcoin or Monero for it.
5. Messenger TOX: vulnerabilities in the TOX messenger that allow intercepting correspondence, launching malware, determining the IP address of the interlocutor, and other interesting vulnerabilities.
6. Tor network: any vulnerabilities that help get the IP address of the server where the onion site is installed, as well as gain root access to our servers and onion domains, followed by a database dump.

It should be noted that the proposal to dox the head of the LockBit affiliate program, known under the nickname LockBitSupp, as an experiment, appears not for the first time. For example, in April of this year, the group offered a million dollars to anyone on the XSS hacker forum who could recognize at least the first and last name of LockBitSupp.

Journalists also note that now on the site of the hack group, visitors are greeted by a gif with animated icons of the Monero and Bitcoin cryptocurrencies, which were previously accepted for paying ransoms. But now the logo of the Zcash cryptocurrency, which is known for its increased privacy, joined them.

Another innovation: a new ransomware model that will allow attackers to buy data stolen during attacks from LockBit. It has been noticed that one of the JavaScript files on the updated grouping site contains a modal dialog that will allow purchasing stolen data. Apparently, the data will be offered for purchase and download either through a torrent or directly through the site.

Since the LockBit 3.0 website has yet to release the details of the victims, it is not still clear how this innovation will work and whether it will be enabled anytime soon.

The post Hackers Launched LockBit 3.0 and Bug Bounty Ransomware appeared first on Gridinsoft Blog.

Bleeping Computer says the problem is serious because Windows supports the search-ms protocol URI handler, which allows apps and HTML links to run custom searches on the device. And while most searches will search on the local device, it’s also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search box.

For example, Sysinternals allows remotely mounting live.sysinternals.com as a network share to run its utilities. Users can use the following search-ms URI to find this remote share and display only files that match a specific name: search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals

In this case, the crumb search-ms variable specifies the search location, and the displayname variable specifies the title. When executing this command from the Run dialog box or the browser address bar in Windows 7, Windows 10 and Windows 11, a custom search box will appear, as in the screenshot below. The header says “Searching Sysinternals” as specified in the search-ms URI.

Hackers can use the same approach for attacks, where phishing emails masquerade as updates or patches that supposedly need to be installed urgently. Attackers can set up a remote Windows share that will be used to host malware disguised as security updates, and then use the search-ms URI in their attacks.

It would seem difficult to get the user to click on such a URL, especially given the warning that will be displayed in this case.

However, Hacker House co-founder and security researcher Matthew Hickey has found a way to combine a newly discovered vulnerability in Microsoft Office with a search-ms handler to open a remote search window by simply opening a Word document.

Let me remind you that the discovery of 0-day Follina became known just a few days ago, although researchers first found this bug back in April 2022, but then Microsoft refused to acknowledge the problem. The vulnerability is now tracked as CVE-2022-30190 and is known to be exploitable through normal Word document opening or File Explorer preview, using malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT) to execute.

The bug affects all versions of Windows that receive security updates, including Windows 7 and later, as well as Server 2008 and later.

CVE-2022-30190 is known to allow Microsoft Office documents to be modified to bypass Protected View and run URI handlers without user interaction, which can lead to further handler abuse. Hickey discovered yesterday that it is possible to modify existing exploits for Microsoft Word MSDT to abuse search-ms instead.

The new PoC automatically runs the search-ms command when the user opens a Word document. The exploit opens a Windows Search window that lists executable files on a remote SMB share. This shared folder can be named whatever the hacker wants, such as “Critical Updates”, and will prompt users to install the malware under the guise of a patch.

As with the MSDT exploits, Hickey demonstrated that it was possible to create an RTF that would automatically open a Windows Search window while still previewing in Explorer.

Bleeping Computer journalists note that events is the reminiscence of the situation with the PrintNightmare RCE vulnerability discovered and fixed in Print Spooler in 2021. At that time, Microsoft quickly fixed the original bug, but its discovery led to many other local privilege escalation vulnerabilities related to the original problem. Then Microsoft developers were forced to make radical changes to Windows Printing in order to finally get rid of this class of vulnerabilities as a whole.

Now Microsoft will probably have to make it impossible to run URI handlers in Microsoft Office without user interaction. Until that happens, there will be regular reports of new exploits being created.

The post Information Security Specialists Discovered a 0-day Vulnerability in Windows Search appeared first on Gridinsoft Blog.

These changes are reported by RBC, citing two of its own sources in the telecommunications industry.

Let me also remind you that we wrote that DuckDuckGo downgraded Russian state media in search results, and also that Hacker groups split up: some of them support Russia, others Ukraine.

Also, Dmitry Galushko, head of the legal company Ordercom, announced GGC shutdowns in his Telegram channel. According to him, several telecom operators received notifications about the GGC shutdown, including the Orenburg provider Radio Svyaz (operating under the Focus Life brand). The latter received a letter from one of the Irish “subsidiaries” of Google – Raiden Unlimited Company, which said that “due to changes in legal practice” the servers will be turned off and Google employees will contact the provider in the near future in order to decommission the equipment.

A representative of Radio Svyaz confirmed to reporters that these servers were turned off on May 19, and a notification came a few days later. The company does not know the reason for the outage.

According to one of RBC’s sources, the MIPT-Telecom provider received the same notification. In this notice, Google referred to the provider’s employees as “the MIPT team,” and the source linked the shutdown of the servers to the fact that the institute was on the sanctions list. MIPT confirmed that in March 2022, the MIPT-Telecom provider was unilaterally disconnected from Google Global Cache.

A representative of Rostelecom, the largest Russian Internet access operator, told RBC that the company “does not observe outages” of Google Global Cache servers. The representative of MTS, in turn, said that “the delivery of traffic from Google’s resources is carried out for MTS in the normal mode.” They do not see any changes in the operation of this equipment and in MegaFon.

Representatives of VimpelCom (Beeline brand), T2 RTK Holding (Tele2) and ER-Telecom Holding refused to provide comments.

RBC’s own source in one of the major Internet providers said that the bankruptcy of the Russian “daughter” of Google is in no way connected with the shutdown of caching servers.

Another IT services expert added that in addition to YouTube, Google Global Cache hosts other Google services such as Google CAPTCHA.

This, according to the expert, “theoretically could affect the prices for the Internet for users”, because the operators will have to compensate for the increased maintenance costs.

How Google’s caching servers work

The load on the network may also increase while the stability of the channels may decrease: if earlier there were many sources of content and it was possible to use the one that is closer, then in the event of a mass shutdown of servers, all traffic will fall on several foreign channels that may have less bandwidth reserve, there will be less resistant to DDoS attacks, and so on.

The post Google Has Disabled Some of the Global Cache Servers in Russia appeared first on Gridinsoft Blog.

One of the first to notice the change was Elisey Boguslavsky of Advanced Intel, who tweeted that the group’s internal infrastructure had been shut down. According to him, other internal services of the group, such as chat servers, are also being decommissioned.

Let me remind you that we wrote that Leaked Conti ransomware source codes were used to attack Russian authorities, as well as that Experts analyzed the conversations of Conti and Hive ransomware groups.

The publication Bleeping Computer writes that at the same time, the public site for leaks “Conti News”, as well as the site for negotiating ransoms, are still available, but Boguslavsky explained to reporters that the Tor administrative panels used by hackers to negotiate and publish news on the site are already disabled.

Although Conti recently carried out a high-profile attack on Costa Rica, Boguslavsky believes it was done as a distraction while Conti members slowly migrated to other, smaller extortion groups.

Conti threatens the government of Costa Rica

Although the Conti brand no longer exists, experts are confident that this crime syndicate will play an important role in the extortion industry for a long time to come. So, Boguslavsky believes that instead of the traditional rebranding for hack groups (and the subsequent transformation into a new grouping), Conti’s leadership is collaborating with other smaller ransomware groups to carry out attacks.

As part of this “partnership”, small hack groups receive an influx of experienced pentesters, negotiators and operators from among Conti members. And the Conti syndicate, dividing into smaller “cells” controlled by a single leadership, gets mobility and the ability to evade the attention of law enforcement agencies.

According to the researchers, in this way Conti cooperates with groups HelloKitty, AvosLocker, Hive, BlackCat, BlackByte and so on. Also, Advanced Intel believes that members of Conti have created a number of new and autonomous groups that are completely focused on stealing data, not encrypting it. These groups include Karakurt, BlackByte and Bazarcall.

The post The Conti Ransomware Ceases Operations and Breaks Up into Several Groups appeared first on Gridinsoft Blog.