FBI Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 07 May 2024 18:08:04 +0000 en-US hourly 1 https://wordpress.org/?v=89784 200474804 LockBit Leader Identity Revealed, NCA Publishes More Data https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/ https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/#comments Tue, 07 May 2024 18:08:04 +0000 https://gridinsoft.com/blogs/?p=21920 On May 7, 2024, UK National Crime Agency published the detailed dossier on the LockBit ransomware group’s leader. Dmitry Khoroshev, known as LockBitSupp, leads one of the most vicious ransomware groups since its inception in 2020. After unmasking, law enforcement initiated sanctioning the hacker in numerous countries around the world. NCA Unveils LockBitSupp Identity Several… Continue reading LockBit Leader Identity Revealed, NCA Publishes More Data

The post LockBit Leader Identity Revealed, NCA Publishes More Data appeared first on Gridinsoft Blog.

]]>
On May 7, 2024, UK National Crime Agency published the detailed dossier on the LockBit ransomware group’s leader. Dmitry Khoroshev, known as LockBitSupp, leads one of the most vicious ransomware groups since its inception in 2020. After unmasking, law enforcement initiated sanctioning the hacker in numerous countries around the world.

NCA Unveils LockBitSupp Identity

Several days ago, on May 5, 2024, a changed LockBit site variant, that appeared after the law enforcement hack in February of the same year, got back online. Earlier, it used to contain the hefty list of information that law enforcement agencies managed to leak from the network of the threat actor. This time, however, they went further: instead of court judgments, they promised to publish personal information of the LockBit gang leader.

Darknet blog hacked
Hacked leak site that LockBit used before the February takedown is back online

Man under the nickname LockBitSupp always attracted a lot of attention: both due to the success of his ransomware group and unusual publicity of a ransomware group leader that was never seen before. What’s more tempting is the promise to pay $10 million to a person who’d reveal his identity. He was outstandingly confident about his anonymity, and for a good reason, so the huge reward was left unclaimed ever since this “contest” was first announced.

Though now, by the looks of it, Dmitry Yurievich Khoroshev owes $10 million to NCA specialists. During the first summary of Operation Cronos, NCA already threatened to publish his identity, but that was probably a mere bluff. But not this time – the full list of the guy’s personal information was both published and turned into courts in order to imply personal sanctions. They in particular suppose arrest of the personal assets and implying travel bans.

LockBit Leader Compromised: Will This Stop the Gang?

Despite the overall excitement around the identity reveal of LockBitSupp, it won’t make that much difference to the gang. Just another stain on the reputation, that has got the first, and much stronger blow back in February. Deanonymizing of the gang’s leader places it in the row with Evil Corp, whose chief Maksim Yakubets is a long-term guest of the FBI’s wanted board.

A more important news of the fresh release is an updated pack of data about the affiliates and operations of the ransomware group. NCA, together with law enforcement agencies, leaked attack statistics, affiliate counters and names, and the geography of attacks.

As far as the fresh leak says, after the February attack, 2/3 of the LockBit affiliates escaped the business. This was somewhat noticeable by the decline in the group’s activity, but not to that extent. Still, the quality of these attacks noticeably decreased: no loud names in the last two months. At the same time, the number of attacks on the UK companies plummeted to a similar extent (-73%) – definite reaction to the NCA’s effort.

The post LockBit Leader Identity Revealed, NCA Publishes More Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/feed/ 1 21920
ALPHV Site Taken Down by the FBI https://gridinsoft.com/blogs/alphv-ransomware-site-taken-fbi/ https://gridinsoft.com/blogs/alphv-ransomware-site-taken-fbi/#respond Tue, 19 Dec 2023 14:16:28 +0000 https://gridinsoft.com/blogs/?p=18360 On December 19, 2023, one of the ALPHV/BlackCat ransomware sites was taken down by the FBI. The typical FBI banner now decorates its main, while other sites of the cybercrime gang are still online. This event is possibly related to the 5-day downtime of all the gang’s Darknet infrastructure a week ago. ALPHV/BlackCat Ransomware Site… Continue reading ALPHV Site Taken Down by the FBI

The post ALPHV Site Taken Down by the FBI appeared first on Gridinsoft Blog.

]]>
On December 19, 2023, one of the ALPHV/BlackCat ransomware sites was taken down by the FBI. The typical FBI banner now decorates its main, while other sites of the cybercrime gang are still online. This event is possibly related to the 5-day downtime of all the gang’s Darknet infrastructure a week ago.

ALPHV/BlackCat Ransomware Site Seized

At around 13:00 GMT, one of the BlackCat’s onionsites began returning the FBI banner, which states about the site being seized by law enforcement. But at the same time, other Darknet infrastructure is up and functioning, meaning that the seizure is likely local.

ALPHV site FBI banner
FBI banner on one of the ALPHV/BlackCat ransomware sites

All this becomes more interesting when we remember the events which happened around ALPHV’s Darknet sites a week ago. Both the leak site and negotiation pages were downjust unresponsive, without any banners. At that point, a lot of cybersecurity newsletter started supposing this was a sign of the hackers being paid a visit by law enforcement. However, as the sites were back online in 5 days, it became clear that all these suppositions were false.

BlackCat main page Darknet
Another Darknet leak site of the ALPHV/BlackCat group – still online

Or were they? Such a consequent website seizure, along with the ALPHV silence regarding the reasons for the previous downtime, make a lot of room for reflections. Most probably, there was something going on related to the FBI interruption, but hackers managed to escape and get the network infrastructure back up. This looks realistic since all the records regarding the previous victims are gone, as you can see above.

Before, we’ve seen the situation when the hackers’ sites were back up after the law enforcement interruption. Back in March 2023, an infamous BreachForums was taken down by the FBI after its admin was detained. Shortly after, another admin restarted the forum only to notify the users about what’s happening. This did not stop the inevitable – BF was taken down until the “reborn” led by the ShinyHackers.

FBI Seized ALPHV Darknet Site – The Trend Continuation?

All the hypotheses and comparisons aside, the network infrastructure takedowns is a new trend led by the FBI. QakBot infrastructure ruination, IPStorm botnet disruption, Trigona ransomware servers wiping – this is only a part of past and ongoing events of the same intention. And ALPHV sites seizure will accomplish this list beautifully.

Will that entirely stop the ransomware gang? Of course not. For large players, like the ALPHV is, recovery is just a matter of time, they have enough money to sustain an idle period. QakBot actually proves this by being back in business with the email spam campaign started on December 11, 2023. Nonetheless, for smaller cybercrime gangs, such a disruption may be a serious reason to stop the activity.

As there are currently no statements from either the FBI and ALPHV/BlackCat hackers, the story will unfold in new details pretty soon. I will update this post as new info will pop up – be sure to come back and check out.

UPD 12/19/23 14:00 GMT

Two more piece of information: official claims from ALPHV and the FBI’s press release, published on their official site. Let’s review them one by one.

In a chat with VX-Underground, hackers assure that nothing happened to their actively used web assets. The FBI took down “the blog they deleted a long time ago”, and the page they use now is on a different address. Though, as far as I remember, this “old” site was used as a mirror for some time. Even if it is true, there could be some remnants of info useful to the law enforcement.

VX-Underground chat
Chat of VX-Underground researchers with ALPHV/BlackCat ransomware

What contrasts with hackers’ claims is the FBI press release, which states not only about the site takedown. Law enforcement offers the decryption tool to ALPHV victims from any country. Allegedly, they have developed the solution some time ago, and were offering it to all the victims through their and partners’ offices. Feds also say about having access to the group’s internal network. That is probably the reason for today’s takedown.

FBI claims

UPD 12/19/23 18:00 GMT

The seized website appears to be.. unseized. At least this is what it says now – with the BlackCat logo on top and a text note below. It is written in Russian, and partially repeats what they said to VX-Underground in the chat. But then some interesting things come into view:

Domain unseized

Yes, as you can read above, to avenge the site seizure, ALPHV removes all the attack limitations. These are what is known as “ethical hacking rules” – no attacks on critical infrastructure, like hospitals, nuclear stations, and others. Not all gangs follow them, though most of the large and long-running ones do. But now, ALPHV appears to be out of this “club”, and will start attacking pretty much whatever.

After all, all I have to say is that some sort of chaos happens. How did the FBI get access to the site? How did ALPHV regain access? What’s the matter with decryption keys? Probably, we’ll see the explanation to this pretty soon.

UPD 12/19/23 20:00 GMT

The FBI banner is back. This are apparently historical events. Should we wait for the round 2 with the current leak site?

The post ALPHV Site Taken Down by the FBI appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/alphv-ransomware-site-taken-fbi/feed/ 0 18360
IPStorm Botnet Stopped by the FBI, Operator Detained https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/ https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/#respond Thu, 16 Nov 2023 14:35:08 +0000 https://gridinsoft.com/blogs/?p=17724 The FBI has successfully dismantled the notorious IPStorm botnet and apprehended its operator. The operation took place back in September, with the key operator, Sergei Makinin, detained around this time. FBI Dismantles IPStorm Botnet The Federal Bureau of Investigation has successfully suspended the activity of the notorious IPStorm botnet. As a result, they have ended… Continue reading IPStorm Botnet Stopped by the FBI, Operator Detained

The post IPStorm Botnet Stopped by the FBI, Operator Detained appeared first on Gridinsoft Blog.

]]>
The FBI has successfully dismantled the notorious IPStorm botnet and apprehended its operator. The operation took place back in September, with the key operator, Sergei Makinin, detained around this time.

FBI Dismantles IPStorm Botnet

The Federal Bureau of Investigation has successfully suspended the activity of the notorious IPStorm botnet. As a result, they have ended the widespread threat it posed to thousands of infected devices globally. The operator behind this nefarious network, Sergei Makinin, is a Russian and Moldovan national who has been arrested. He later confessed to accumulating over half a million dollars by selling access to compromised devices.

Initiated by Makinin in 2019, the IPStorm botnet boasted a formidable network of over 20,000 infected computers during its lifetime. This illegal infrastructure allowed threat actors to clandestinely route traffic through compromised devices. IPStorm runs on Windows, Linux, Mac, and Android operating systems, effectively evading detection by security measures.

IPStorm Botnet Timeline

As I said above, from June 2019 to December 2022, Makinin developed the IPStorm malware. This malware was designed to spread across devices globally and establish control over the infected electronics, effectively knitting them into a cohesive botnet. The primary objective of this botnet was to convert compromised devices into proxies. It appears that he succeeded in his objective. Makinin facilitated access to these proxies through dedicated websites, proxx.io, and proxx.net, creating a lucrative marketplace for cybercriminals seeking covert and untraceable communication channels.

Statistics by Intenzer
IPStorm botnet samples gathered by Intenzer, that show its starting date

The DoJ elucidated that Makinin offered access to more than 23,000 infected devices, referred to as proxies, charging substantial amounts, often hundreds of dollars per month, for the privilege. The illicit venture proved highly profitable for the operator, with Makinin admitting to amassing at least $550,000 in revenue from renting out the IPStorm botnet. This revelation underscores the financial motivation behind creating and maintaining such sophisticated cyber threats. In a significant development related to the case, Makinin pleaded guilty to seizing control of thousands of electronic devices worldwide and profiting by selling unauthorized access to these compromised systems, according to the US Department of Justice (DoJ).

Legal Actions and Continuing Threats

Although the IPStorm botnet has been taken down, it’s worth noting that the legal efforts didn’t cover the IPStorm malware that still exists on infected devices. Consequently, the malware still threatens compromised systems even though the botnet is now incapacitated. Contrary to one of the previous successful FBI operations against botnets, namely QakBot, they did not command the malware to delete itself from devices.

Either way, the recent target picking strategy of the FBI is obvious. It may sometimes be particularly difficult to behead relatively small and scattered ransomware groups. Meanwhile, humongous botnets that serve ransomware actors and hackers of many other direction are a much easier yet still effective target.

IPStorm Botnet Stopped by the FBI, Operator Detained

The post IPStorm Botnet Stopped by the FBI, Operator Detained appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ipstorm-botnet-stopped-fbi/feed/ 0 17724
QakBot Botnet Dismantled, But Can It Return? https://gridinsoft.com/blogs/qakbot-dismantled-return/ https://gridinsoft.com/blogs/qakbot-dismantled-return/#respond Thu, 07 Sep 2023 09:32:33 +0000 https://gridinsoft.com/blogs/?p=16730 On Tuesday, the US authorities announced that as a result of the international law enforcement operation “Duck Hunt,” the infamous Qakbot malware platform, which is linked to Russia, was destroyed. Cybercriminals actively use it to commit various financial crimes. Though, cybersecurity experts are not sure how deadly this operation was to the botnet. They predict… Continue reading QakBot Botnet Dismantled, But Can It Return?

The post QakBot Botnet Dismantled, But Can It Return? appeared first on Gridinsoft Blog.

]]>
On Tuesday, the US authorities announced that as a result of the international law enforcement operation “Duck Hunt,” the infamous Qakbot malware platform, which is linked to Russia, was destroyed. Cybercriminals actively use it to commit various financial crimes. Though, cybersecurity experts are not sure how deadly this operation was to the botnet. They predict a soon return of Qakbot, with new tactics and tricks.

The United States and its allies dismantled the Qakbot financial fraud network

Last week, the United States, the United Kingdom, Germany, Latvia, the Netherlands, Romania, and France conducted a joint operation to dismantle the Qakbot hacker network. First appearing more than a decade ago, Qakbot typically spread through infected emails sent to potential victims under the guise of trusted messages. Cybersecurity researchers have suggested that Qakbot’s origins refer to Russia. This network of attackers has attacked various organizations worldwide, from Germany to Argentina, causing significant losses. U.S. Attorney Martin Estrada emphasized that this operation to expose and disrupt Qakbot’s “Duck Hunt” activities is the most extensive in the history of the fight against botnets.

Screenshot of malicious attachment that asks you to activate macros
Malicious attachment that asks you to activate macros

A colossal catch

So, specialists call Operation “Duck Hunt” a significant victory in the fight against cybercrime, and that’s obvious. As part of an international operation, FBI officials dismantled the Qakbot botnet that infected over 700,000 compromised computers worldwide, of which more than 200,000 were in the United States. Although authorities distributed a removal tool to the endpoints that removed Qakbot from system memory, this did not neutralize other malware that may have been present on the system. According to investigators, between October 2021 and April 2023, Qakbot administrators received approximately $58 million in ransom paid by victims. According to CertiK, criminals could steal about $45 million worth of cryptocurrency during August this year. And in total, users have lost $997 million in fraudulent schemes since the beginning of the year. Law enforcers seized more than $8.6 million in bitcoins.

A few words about Qakbot

Qakbot is a malicious program that belongs to the TrickBot family of Trojans. Its functionality is similar to a Swiss Army knife. It was first discovered in 2008, and since then, cybercriminals have actively used it to steal data and spread other malicious programs. It is the most frequently detected malware, with 11% of corporate networks worldwide affected in the first half of 2023. The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast. It also served as a platform for ransomware operators. Once infected, the victim’s computer became part of a giant Qakbot botnet, infecting even more victims. Qakbot can spread through various channels, including email, malicious links, and infected files. We have an entire article dedicated to this malware.

QakBot May Resurface Soon, Analysts Concern

Experts of cyber threat intelligence operations warned that the recent takedown of Qakbot may only provide short-term relief in the fight against cybercrime. Many cybercrime service providers operate from Russia, which doesn’t extradite its citizens, making it difficult to reach them. However, now Qakbot appears to be on a forced sabbatical. Nevertheless, cybercriminals may tweak their code to make it more challenging to disrupt in the future. The situation now resembles the events with Emotet, which, after severe destruction in 2021, was never able to regain its former position.

Despite obvious parallels to Emotet’s case, it is important to notice the difference between the two. Spreading methods applied by Emotet differ from ones used by Qakbot. The latter used email spamming only as a part of lateral movement, with the application of compromised email accounts. Moreover, QBot is backed by a team of highly-professional crimes, while Emotet apparently lost its dream team in the 2021’s detention. Conti’s Team 3, now known as Black Basta, ran Qakbot operations alongside the Clop ransomware group. Team 3 has been inactive since June, but once they resurface, they could pose a potent threat.

How to protect yourself against malware?

Protecting yourself against malware is essential to safeguard your personal information, data, and online security. Here are some fundamental steps to help you stay protected:

  • Beware of Fake Websites. You should be cautious when visiting websites, especially when entering sensitive information. Ensure you’re on secured websites (look for HTTPS in the URL).
  • Exercise Caution with Email and Links. Be cautious when opening email attachments and clicking links, especially in emails from unknown or suspicious sources. Malware often spreads through phishing emails. Be skeptical of pop-up ads and unexpected download prompts. Verify the legitimacy of requests before taking action.
  • Download Software from Official Sources. Only download software and apps from reputable sources, e.g., the official website or app store (If it’s Android or iOS). Avoid downloading cracked or pirated software from torrents, often bundled with malware.
  • Keep Software Updated. You may find Windows updates annoying, but it is essential. Regularly update your operating system, web browsers, and all installed software. Many malware attacks exploit known vulnerabilities that are patched through updates.
  • Use Strong Passwords. A strong password is the first line of defense. Create strong, unique passwords for your accounts, and change them regularly. Consider using a password manager to generate and store complex passwords securely.
  • Enable Multi-Factor Authentication (MFA). Whenever possible, enable MFA for your online accounts. This is the second line of defense, which will stop the intruder if the first line is passed. MFA adds an extra layer of security by requiring additional verification beyond a password.
  • Use Reputable Anti-Malware Software. We recommend installing and regularly updating reputable anti-malware software on your devices. This point complements all previous topics and minimizes all risks as much as possible. These tools can detect and remove malware infections.

The post QakBot Botnet Dismantled, But Can It Return? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/qakbot-dismantled-return/feed/ 0 16730
The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years https://gridinsoft.com/blogs/fsb-cyberspyware/ https://gridinsoft.com/blogs/fsb-cyberspyware/#respond Wed, 10 May 2023 08:19:59 +0000 https://gridinsoft.com/blogs/?p=14466 The US Federal Bureau of Investigation on Tuesday reported the disruption of a massive spying program by the Russian Federal Security Service (FSB) using cyberspyware codenamed “Snake”. This is stated in a press release from the US Department of Justice. Let me remind you that we also talked about the fact that Europe’s largest private… Continue reading The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years

The post The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years appeared first on Gridinsoft Blog.

]]>

The US Federal Bureau of Investigation on Tuesday reported the disruption of a massive spying program by the Russian Federal Security Service (FSB) using cyberspyware codenamed “Snake”.

This is stated in a press release from the US Department of Justice.

Let me remind you that we also talked about the fact that Europe’s largest private hospital operator Fresenius was attacked with an eponymous Snake ransomware. Don’t be confused – now we talk about a completely different malware.

Matthew J. Olsen
Matthew J. Olsen

US law enforcers believe that the spy tool was used by the hacker unit of the 16th FSB center, codenamed “Turla” for almost 20 years. We also reported that Fake DDoS App from Turla Targets Pro-Ukrainian Hacktivists.

For 20 years, the FSB has relied on the Snake malware for cyber espionage against the United States and our allies – that ends today.said Assistant Attorney General Matthew J. Olsen of the Justice Department's Homeland Security Division.

The Snake program was designed to steal confidential documents from hundreds of computer systems in at least 50 countries that belonged to the governments of NATO member countries, in particular the United States, as well as journalists and other persons of interest to the Russian Federation.

Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes. Meeting the challenge of cyberespionage requires creativity and a willingness to use all lawful means to protect our nation and our allies.said U.S. Attorney Breon Peace for the Eastern District of New York.

To eliminate the “Snake”, the FBI developed an operation code-named “Medusa“. Within its framework, the spy application was forced to rewrite its own code, which disabled it. A senior FBI official said the Bureau’s tool was only designed to communicate with Russian spyware.

He speaks the Snake language and communicates using Snake’s custom protocols without accessing the victim’s private files.the official said.

At a briefing ahead of the announcement, a US official involved in the operation called the Snake the “prime tool” of Russia’s cyber-espionage, Reuters reported.He expressed the hope that as a result of the liquidation of the program, Moscow could be “eradicated from the virtual battlefield.”

The media also reported that the FBI and NSA discovered Drovorub malware, created by Russian Intelligence services.

The post The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fsb-cyberspyware/feed/ 0 14466
BreachForums is down. Things got worse? https://gridinsoft.com/blogs/breachforums-shutdown/ https://gridinsoft.com/blogs/breachforums-shutdown/#comments Mon, 20 Mar 2023 16:25:06 +0000 https://gridinsoft.com/blogs/?p=13860 Recently, one of BreachForums administrators nicknamed PomPomPurin was arrested by the FBI. That event took place on March 17, 2023, and since then, another administrator of that forum assured that BreachForums activity will not be interrupted or influenced. However, since 19:00 GMT of March 19, the page is not available. What is BreachForums and who… Continue reading BreachForums is down. Things got worse?

The post BreachForums is down. Things got worse? appeared first on Gridinsoft Blog.

]]>
Recently, one of BreachForums administrators nicknamed PomPomPurin was arrested by the FBI. That event took place on March 17, 2023, and since then, another administrator of that forum assured that BreachForums activity will not be interrupted or influenced. However, since 19:00 GMT of March 19, the page is not available.

What is BreachForums and who is PomPomPurin?

BreachForums is one of the biggest online communities dedicated to hacking, data leaks, malware and so forth. It goes deeply beyond the boundaries of legitimacy and is considered one of the Darknet markets. It contains numerous offers of leaked data for sale – mainly from corporations and government organisations. BreachForums also was a place to post bids for access to corporate networks and databases with data of specific groups of people. Despite such illegal content, it was available from the surface Web, yet some sections were Darknet-only. The fact that the FBI is interested in stirring this snake ball is estimated.

On March 17, 2023, one of the administrators of BreachForums, PomPomPurin a.k.a Conor Brian Fitzpatrick was detained. The FBI arrested him in his house in Peekskill, NY. That fact was approved by another “chief” of the forum, nicknamed Baphomet. He noticed that Pom did not appear online for over a day without any warning. After that, he banned both the forum account and server infrastructure access of the detainee. Baphomet additionally pointed out that BreachForums’ work will not be interrupted, as he has enough access to maintain the servers. As it turned out, something went wrong.

PomPomPurin account banned
Blocked account that belonged to PomPomPurin

BreachForums website is not available

On March 19, 2023, users noticed that BreachForums is not accessible. When trying to access the surface Web version, the server returns 502 error code. It also says “Looks like we have got an invalid response from the upstream server. That’s all we know”. The Darknet version shows an Onionsite Not Found error, which generally stands for the situation when servers that were holding the website are not operating. At a glance, it looks like the FBI proceeded from PomPomPurin detainment to seizing the servers.

Breached Forums Onionsite
Error returned by the Onion version of BreachForums

Baphomet claimed that there is no danger of the FBI taking over the infrastructure, both physically and technically. Nonetheless, after the BreachForums shutdown, he reappeared with another message. It says that currently Baph does his best to migrate the servers and reconfigure everything as quickly as possible. He also tries to give no chance for law enforcement to reveal it.

BreachForums migration
Baphomet message regarding ongoing works

That contrasts with his claims in the forum post, where he says about doing constant monitoring of logs to uncover anything that may be a sign of infrastructure compromise. If he suddenly decided to migrate the infrastructure – probably the FBI found a way to access it despite the blocks deployed by Baphomet. Another possible cause is that Pompompurin was pretty talkative, especially considering the possible softening of punishment for cooperation.

Baphomet claim day1
Message that Baphomet posted as soon as the information about the detainment appeared

This or another way, BreachForums is likely entering troubled times. Even if the migration ends up successful, law enforcement may still be on the trail. Possibly, Baphomet is the next to face nice men in uniform – just because of his decision to take over the forum controls. Still, nothing points to the impossibility of the Breached Forums returning and running in a usual manner – as if nothing happened.

Update for 21.03.2023

A message in the BreachForums Telegram channel appeared, claiming that Breached Forums will not be continued. The channel that most likely belongs to the aforementioned Baphomet, posted the following message:

Baphomet TG post
Baphomet’s post in Telegram community

“I will be taking down the forum, as I believe we can assume that nothing is safe anymore”. That already says a lot regarding what happened to Breached Forums after the PomPompurin detainment. Though Baphomet still has a bit of hope, saying that he will establish another Telegram group, where he will notify about possible betterment.

Even more interesting details appear in the text file that Baph offers to download. It finally sheds light on the FBI’s part in this action. It says that Baph detected login activity on one of the non-essential servers on March 19, 2023 – two days after Pom’s arrest. Thus it is logical to assume that law enforcement succeeded at taking over PomPomPurin’s computer and accessing it. The server contained enough information to compromise source code, user information, configurations and other things.

Baphomet Finalstatement
Baphomet’s final statement regarding BreachForums

BreachForums epitaph

It is not completely clear whether Baphomet will use assets from BreachForums or not. He states that a number of other hacker forums’ admins and representatives contacted him, offering certain deals. Baph promises “to build a new community that will have the best features of Breached”. Yet, by these words, the actor confirms that BreachForums are completely ceased, with no chance to return.

Breached Forums saw their major boost after the RaidForums shutdown back in April 2022. A huge community of hackers was seeking another place to communicate, and exchange experiences and stolen data. Pom’s brainchild was first on hand. Moreover, he was brave enough to post an offer to join his forum right under the FBI’s Twitter post regarding the RaidForums shutdown.

Pompompurin FBI raidforums

Will the hacker community suffer because of such a loss? Most probably, other hacker sites will witness a spike in activity – nature always abhors a vacuum. Another edge of the “problem” is a slowdown in hacker operations: there is no usual place to sell the stolen and buy the needed access or applications. Nonetheless, they will definitely adapt to the situation, and we will see the outcome in the near future.

BreachForums is down. Things got worse?

The post BreachForums is down. Things got worse? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/breachforums-shutdown/feed/ 4 13860
The FBI Said That the Damage from Cyberattacks in 2022 Exceeded $10 Billion https://gridinsoft.com/blogs/damage-from-cyberattacks-in-2022/ https://gridinsoft.com/blogs/damage-from-cyberattacks-in-2022/#respond Fri, 17 Mar 2023 08:56:32 +0000 https://gridinsoft.com/blogs/?p=13810 The FBI’s Internet Fraud Complaint Center (IC3) has released its annual 2022 Internet Crime and Cyber Attack Damage Report. During the year, the FBI reportedly received more than 800,000 cybercrime-related complaints, with total losses in excess of $10 billion. Let me remind you that we also wrote that FBI experts say that this year “sextortion”… Continue reading The FBI Said That the Damage from Cyberattacks in 2022 Exceeded $10 Billion

The post The FBI Said That the Damage from Cyberattacks in 2022 Exceeded $10 Billion appeared first on Gridinsoft Blog.

]]>

The FBI’s Internet Fraud Complaint Center (IC3) has released its annual 2022 Internet Crime and Cyber Attack Damage Report.

During the year, the FBI reportedly received more than 800,000 cybercrime-related complaints, with total losses in excess of $10 billion.

damage from cyberattacks in 2022

Let me remind you that we also wrote that FBI experts say that this year “sextortion” brought scammers more than $8 million, and also that the FBI and NSA release a statement about attacks by Russian hackers.

Also the media wrote that The FBI Said That Scammers Use Deepfakes to Get a Job.

IC3 began registering cybercrime complaints as early as 2000, and it took seven years for experts to reach the one million complaints per year mark. Since then, it has taken an average of 29.5 months for every additional million complaints.

This year it emerged that while the number of complaints was down compared to 2021, the loss to victims has increased from $6.9 billion to $10.3 billion. In general, over the past five years, law enforcement officers have received 3.26 million complaints, and the damage from the actions of hackers has exceeded $27.6 billion.

No less interesting is the fact that last year EAC and BEC scams (Email Account Compromise and Business Email Compromise) brought fraudsters $ 2.7 billion, but this type of crime for the first time in seven years gave way to investment fraud, on which the criminals earned $ 3.3 billion. In total, these types of crimes account for more than half of the losses recorded last year.

BEC scams and investment scams were the only crimes with losses in the billions, while other losses are in the millions.

In addition to BEC scam and investment fraud, the top five types of cybercrime in 2022 were phishing (300,000 complaints), personal data leakage (58,000 complaints), non-payment / non-delivery fraud (51,000 complaints), extortion (39,000 complaints) and technical support scam (32,000 complaints).

damage from cyberattacks in 2022

In terms of ransomware attacks, the FBI says it received more than 2,300 such complaints last year, with cumulative losses in excess of $34 million. More than 800 of these complaints came from organizations in the critical infrastructure sectors.

Most often (more than 100 incidents in each industry), the sectors of healthcare, critical production, government agencies and IT companies became victims of criminals. Critical infrastructure was most often attacked by LockBit, BlackCat, and Hive ransomware.

damage from cyberattacks in 2022

The post The FBI Said That the Damage from Cyberattacks in 2022 Exceeded $10 Billion appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/damage-from-cyberattacks-in-2022/feed/ 0 13810
FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations https://gridinsoft.com/blogs/fbi-and-cuba-ransomware/ https://gridinsoft.com/blogs/fbi-and-cuba-ransomware/#respond Mon, 05 Dec 2022 09:09:56 +0000 https://gridinsoft.com/blogs/?p=12397 The FBI and the U.S. Infrastructure and Cyber Security Agency (CISA) report that as of August 2022, Cuba ransomware operators have received more than $60 million in ransom from their victims (initially, the hackers requested more than $145 million in ransoms) and have attacked more than 100 organizations around the world. The new security bulletin… Continue reading FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations

The post FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations appeared first on Gridinsoft Blog.

]]>

The FBI and the U.S. Infrastructure and Cyber Security Agency (CISA) report that as of August 2022, Cuba ransomware operators have received more than $60 million in ransom from their victims (initially, the hackers requested more than $145 million in ransoms) and have attacked more than 100 organizations around the world.

The new security bulletin is a direct continuation of a similar document from a year ago. Let me remind you that in December 2021, it was reported that the Cuba ransomware brought its authors about $43.9 million, compromising at least 49 organizations.

We also wrote that Cuba Ransomware Variant Involves Double-Extortion Scheme.

The FBI also said that the $43.9 million was just actual payments to the victims, but the hackers originally demanded more than $74 million from the victims, but some refused to pay.

Since the newsletter was released in December 2021, the number of U.S. organizations compromised by Cuba ransomware has doubled, and ransoms demanded and paid are on the rise. The FBI has observed that Cuba continues to attack US organizations in the following five critical infrastructure sectors, including financial and public sector, healthcare, manufacturing, and IT.experts write.

The FBI and CISA added that in the past year, it became known that ransomware has been improving its tactics and methods, and now they are associated with the RomCom remote access trojan (RAT) and Industrial Spy ransomware.

Law enforcement officers also said at the time that they tracked Cuba attacks on systems infected with the Hancitor malware, which uses phishing emails, exploits vulnerabilities in Microsoft Exchange, compromised credentials, or RDP brute force to access vulnerable Windows machines. Once Hancitor is infected, access to such a system is rented out to other hackers using the Malware-as-a-Service model.

Interestingly, the statistics of the ID-Ransomware platform do not allow to call the Cuba ransomware particularly active, and this only proves that even such a ransomware can have a huge impact on victims and bring profit to its operators.

FBI and CUBA ransomware

The post FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fbi-and-cuba-ransomware/feed/ 0 12397
Ukrainian Cyber Police and Europol Arrested Fraudsters Involved in Fake Investments https://gridinsoft.com/blogs/ukrainian-cyber-police-and-europol/ https://gridinsoft.com/blogs/ukrainian-cyber-police-and-europol/#respond Tue, 15 Nov 2022 08:41:23 +0000 https://gridinsoft.com/blogs/?p=11853 The Ukrainian cyber police and Europol have arrested five members of an international network of fraudsters, whose income is estimated at 200 million euros a year. Let me remind you that we wrote that Ukrainian Law Enforcers Arrested Hackers Who Sold More Than 30 Million Accounts, and also that Ukrainian law enforcement officers arrested members… Continue reading Ukrainian Cyber Police and Europol Arrested Fraudsters Involved in Fake Investments

The post Ukrainian Cyber Police and Europol Arrested Fraudsters Involved in Fake Investments appeared first on Gridinsoft Blog.

]]>
The Ukrainian cyber police and Europol have arrested five members of an international network of fraudsters, whose income is estimated at 200 million euros a year.

Let me remind you that we wrote that Ukrainian Law Enforcers Arrested Hackers Who Sold More Than 30 Million Accounts, and also that Ukrainian law enforcement officers arrested members of the hacker group Phoenix.

Fraudsters operated call centers and offices in Germany, Spain, Latvia, Finland, Albania, and Ukraine and forced their victims to make fake investments.

The publication Bleeping Computer says that the criminals have created an extensive network of fake sites disguised as resources for investors in cryptocurrencies, stocks, bonds, futures, and options. The scammers pretended that the investments were profitable for the investors, convincing the victims that they could make a quick profit and tricking them into investing even more.

In fact, neither the investment nor the “profit” could be withdrawn from the fraudulent platforms, and by the time the victims realized what was happening, they were already losing huge sums.

The FBI recently warned about this type of fraud, calling such attacks “pig butchering“. Law enforcers wrote that this is a very profitable scheme used by scammers around the world.

The FBI explained that scammers use social engineering and get in touch with people (“pigs”) on social networks. Over time, perpetrators gain the trust of victims by faking friendship or romantic interest, and sometimes even posing as real friends of the target. Then, at some point, the criminals offer the victim to invest in cryptocurrency, for which the target is directed to a fake site. As mentioned above, it is impossible to return funds and receive fake “income” from such a resource.

These scams can last for months, and the victims give the scammers huge sums (from thousands to millions of dollars) before realizing they have been scammed. For example, Forbes recently reported on a 52-year-old man from San Francisco who lost about a million dollars due to “slaughtering pigs.” In this case, the scammers pretended to be an old colleague of the victim.

According to a Ukrainian cyber police statement, the criminal group has hired more than 2,000 people in its call centers, luring victims to fraudulent websites. There were three call centers located in the territory of Ukraine, and five people detained by the police were allegedly the organizers of local operations. It is reported that during the searches conducted in Kyiv and Ivano-Frankivsk, more than 500 pieces of computer equipment and mobile phones were seized.

Ukrainian Cyber Police and Europol

The detainees will be charged with fraud, which is punishable by up to eight years in prison.

But cyber scammers do not live by slaughtering pigs alone, for example, the media recently reported that the Cyber Police of Ukraine had neutralized a large phishing service, which operators’ attacked banks in eleven countries.

Ukrainian Cyber Police and Europol Arrested Fraudsters Involved in Fake Investments

The post Ukrainian Cyber Police and Europol Arrested Fraudsters Involved in Fake Investments appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ukrainian-cyber-police-and-europol/feed/ 0 11853
Team Xecuter’s life. How hackers leave after the arrest? https://gridinsoft.com/blogs/cybercriminals-life-under-arrest/ https://gridinsoft.com/blogs/cybercriminals-life-under-arrest/#comments Fri, 17 Jun 2022 17:31:37 +0000 https://gridinsoft.com/blogs/?p=8655 Gary Bowser, the Nintendo hacker, appears to be a very happy cybercriminal. Despite a prison term and another arrest, the 50-year-old Frenchman is enjoying life. So does his “collegue” – Max Louarn, the chief of Team Xecuter gang. The Nintendo Hacker keeps going As reported by SecurityLab in February of this year, Gary Bowser was… Continue reading Team Xecuter’s life. How hackers leave after the arrest?

The post Team Xecuter’s life. How hackers leave after the arrest? appeared first on Gridinsoft Blog.

]]>
Gary Bowser, the Nintendo hacker, appears to be a very happy cybercriminal. Despite a prison term and another arrest, the 50-year-old Frenchman is enjoying life. So does his “collegue” – Max Louarn, the chief of Team Xecuter gang.

The Nintendo Hacker keeps going

As reported by SecurityLab in February of this year, Gary Bowser was sentenced to three years in prison for participating in the Team Xecuter hacker group, which sold hacked Nintendo consoles that can play pirated games. However, Bowser’s partner, group leader Max Louarn, is still at large. Despite legal troubles and even an arrest in Tanzania, the 50-year-old Frenchman is enjoying life with his girlfriend, a former model from Russia, in the picturesque town of Avignon in southern France.

Louarn became interested in hacking in the 1980s. At first, he hacked into his Commodore 64 home computer for fun, but a harmless hobby eventually grew into a good source of income. “I wasn’t going to be an engineer with a salary of 5,000 euros a month when I realized at the age of 18 that hacking is not only fun but also brings a lot of money. Steal from companies that earn billions, why not? The hacker admitted to Le Monde in a recent interview.

MAXiMiLiEN (Luarne’s hacker alias from the 1990s) sold hacked games, key generators and software until 1993 when he was arrested on piracy charges…by Nintendo! The hacker flew to Spain, but law enforcement lured him to the US by sending a fake invitation to a birthday party on behalf of his friend. As soon as Luarne got off the plane, he was immediately arrested.

The court pleaded the Frenchman guilty and made him serve five years in an American prison. In 2005, Sony sued the hacker, accusing him of piracy and demanding $5 million in damages. As Luarne says, Nintendo considers him a sworn enemy.

“They hate me. I bet they have a photo of me nailed in their office in Tokyo,”the hacker laughs.

Bowser is not going to deny his ideas

However, he himself considers himself not a villain, but rather a rebel. “We have always stood for freedom. This is our way of thinking: to do whatever we want with the machines, and that everyone has access to them, ”Luarne said.

It is noteworthy that the hacker himself denies his connection with Team Xecuter, although, as part of an agreement on cooperation with the investigation, Gary Bowser called him his accomplice. Now the Frenchman is hunted not only by Nintendo, but also the US Department of Justice. As mentioned, Luarne was arrested in Tanzania in 2020 but was released after a court found his arrest illegal. On a private jet, the hacker managed to escape from the FBI and fly to France.

Although Luarne lives a comparatively free life at home, his overseas bank accounts and cryptocurrency wallets are frozen, and the legal vise is tightening. Be that as it may, the hacker does not intend to give up. According to him, US laws protect the interests of large corporations and are “ready to destroy competitors by covering simple commercial disputes with criminal law. Now it would be more difficult to serve the sentence, because I have to take care of my father. I have a 16-year-old daughter and will soon have a second child,” notes Luarn.

Ideological hackers are pretty rare nowadays. The crooks you will likely spectate these days come into this profession chasing for money, and having no clue about the ideas like the ones which guided Mr. Bowser. Sure, you still can spectate the gangs like LockBit – that have a list of the companies they will never attack, and practice the methods of so-called “ethical hacking”. Still, there are much more groups that attack whoever and even apply the sliest ways of money extortion.

The post Team Xecuter’s life. How hackers leave after the arrest? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cybercriminals-life-under-arrest/feed/ 1 8655