Recorded Future Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 05 Jan 2024 03:19:04 +0000 en-US hourly 1 https://wordpress.org/?v=77669 200474804 APT28 Attacked Ukrainian and Polish Organizations https://gridinsoft.com/blogs/apt28-attacked-ukrainian-organizations/ https://gridinsoft.com/blogs/apt28-attacked-ukrainian-organizations/#respond Thu, 22 Jun 2023 09:23:34 +0000 https://gridinsoft.com/blogs/?p=15519 Recorded Future, in collaboration with CERT-UA researchers, has unveiled a recent cyber offensive orchestrated by Russian-speaking hackers affiliated with the APT28 Group (also known as Fancy Bear, BlueDelta, Sednit, and Sofacy). Their target: Roundcube mail servers of various Ukrainian organizations, including government entities. As a reminder, we previously reported on the divergence of hacker groups,… Continue reading APT28 Attacked Ukrainian and Polish Organizations

The post APT28 Attacked Ukrainian and Polish Organizations appeared first on Gridinsoft Blog.

]]>
Recorded Future, in collaboration with CERT-UA researchers, has unveiled a recent cyber offensive orchestrated by Russian-speaking hackers affiliated with the APT28 Group (also known as Fancy Bear, BlueDelta, Sednit, and Sofacy). Their target: Roundcube mail servers of various Ukrainian organizations, including government entities.

As a reminder, we previously reported on the divergence of hacker groups, some siding with Russia and others with Ukraine. Additionally, Microsoft accused Russia of cyberattacks against Ukraine’s allies.

Recent media coverage also highlighted the arrest of two members of the DoppelPaymer Group by law enforcement in Germany and Ukraine.

The report details that the attackers, employing spear phishing and bait emails, capitalized on the Russian invasion of Ukraine. The hackers crafted spear-phishing emails with news topics related to Ukraine, appearing as legitimate media content.

The campaign demonstrated a high level of readiness by hackers who quickly turned news content into bait for recipients. The spear-phishing emails contained news topics related to Ukraine, with topics and content reflecting legitimate media sources.

Recipients were compelled to open the malicious messages, exploiting old vulnerabilities in Roundcube (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to compromise unpatched servers—requiring no user interaction with malicious attachments.

The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta controlled infrastructure.

APT28 attacked Ukrainian organizations

If the compromise succeeded, the attackers deployed malicious scripts redirecting incoming messages to an email address under their control. These scripts were also employed to locate and pilfer victims’ address books, session cookies, and other data stored in the Roundcube database.

Researchers suggest that the infrastructure used in these attacks has been active since around November 2021, with APT28‘s activities focused on “gathering military intelligence.”

We have identified BlueDelta activity, most likely targeted at the regional Ukrainian prosecutor’s office and the [unnamed] central executive body of the country, and also found intelligence activities associated with other Ukrainian state structures and organizations, including those involved in the modernization and repair of infrastructure for the Ukrainian military aviation.

This collaboration between Recorded Future and CERT-UA emphasizes the crucial role of partnerships between organizations and governments in ensuring collective defense against strategic threats—particularly in the context of Russia’s ongoing conflict with Ukraine.

The post APT28 Attacked Ukrainian and Polish Organizations appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/apt28-attacked-ukrainian-organizations/feed/ 0 15519
BlackMatter ransomware attacks companies with revenues above $100 million https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/ https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/#respond Thu, 29 Jul 2021 15:40:54 +0000 https://blog.gridinsoft.com/?p=5756 Recorded Future analysts have discovered a new hack group accompanying the BlackMatter ransomware that attacks large companies and combines the “best” features of the now defunct DarkSide and REvil. Researchers say the group is currently recruiting “partners” through announcements on hacker forums Exploit and XSS. Although any advertising related to ransomware has been banned on… Continue reading BlackMatter ransomware attacks companies with revenues above $100 million

The post BlackMatter ransomware attacks companies with revenues above $100 million appeared first on Gridinsoft Blog.

]]>
Recorded Future analysts have discovered a new hack group accompanying the BlackMatter ransomware that attacks large companies and combines the “best” features of the now defunct DarkSide and REvil.

Researchers say the group is currently recruiting “partners” through announcements on hacker forums Exploit and XSS.

Although any advertising related to ransomware has been banned on these sites since May 2021, BlackMatter members do not advertise Ransomware-as-a-Service (RaaS), but advertisements for finding “initial access brokers”, that is, people who have access to compromised corporate networks.

BlackMatter ransomware attacks

According to the announcement, BlackMatter is only interested in working with brokers who can provide access to the networks of large companies, whose income is $100 million per year or more. Such a network must have between 500 and 15,000 hosts and must be located in the United States, United Kingdom, Canada, or Australia.

Hackers write that they are willing to pay up to $100,000 for exclusive access to any of the suitable networks.

The members of the group boast that they can encrypt data in different versions of operating systems and architectures. Including: Windows (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+, as well as NAS Synology, OpenMediaVault, FreeNAS and TrueNAS.

Like most modern ransomware, the BlackMater group has already launched its own data leak site, where hackers intend to publish information stolen from victims if the hacked company does not agree to pay the ransom for decrypting files. So far, the resource is empty, but BlackMatter announced themselves only this week and have not attacked anyone yet.

The BlackMatter website lists targets that the group is not going to attack (in case of accidental infection, the data of the victims will be decrypted for free). The list includes:

  • hospitals;
  • critical infrastructure facilities (nuclear power plants, power plants, water treatment plants);
  • oil and gas industry (pipelines, oil refineries);
  • defense industry;
  • non-profit organizations;
  • government sector.

Recorded Future analysts believe that the new group may be linked to other notorious ransomware, DarkSide, who ceased operations in May this year after the scandalous attack on the Colonial Pipeline company, which drew too close attention of the authorities to the hackers. However, while the researchers do not make final conclusions and continue to investigate.

The post BlackMatter ransomware attacks companies with revenues above $100 million appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/feed/ 0 5756
FonixCrypter ransomware stopped working and published a key to decrypt data https://gridinsoft.com/blogs/fonixcrypter-ransomware-stopped-working-and-published-a-key-to-decrypt-data/ https://gridinsoft.com/blogs/fonixcrypter-ransomware-stopped-working-and-published-a-key-to-decrypt-data/#respond Mon, 01 Feb 2021 16:06:54 +0000 https://blog.gridinsoft.com/?p=5052 The authors of the FonixCrypter ransomware announced that they had removed the source code of their malware and after this FonixCrypter stopped working. Along with this statement, they published a tool for decrypting files, instructions for it and a master key for malware. Therefore, former victims of the ransomware can now recover their data for… Continue reading FonixCrypter ransomware stopped working and published a key to decrypt data

The post FonixCrypter ransomware stopped working and published a key to decrypt data appeared first on Gridinsoft Blog.

]]>
The authors of the FonixCrypter ransomware announced that they had removed the source code of their malware and after this FonixCrypter stopped working. Along with this statement, they published a tool for decrypting files, instructions for it and a master key for malware. Therefore, former victims of the ransomware can now recover their data for free.

The FonixCrypter ransomware has been active since at least June 2020. According to information security specialist Andrey Ivanov, the malware was regularly updated, and last year at least seven different variants of FonixCrypt were released.

ZDNet reports that analysts at Recorded Future have already tested the decryptor and confirmed that it (and the master key) works properly, just as the attackers explained.

The decryption key provided by the authors of the Fonix ransomware seems legitimate, although with its help user will have to decrypt each file separately. However, more importantly, they released a master key that enables them to create a better decryption tool.said Allan Liska, a security researcher from the Recorded Future threat intelligence firm.

Emsisoft experts are already developing a more advanced decryptor, which is expected to be released this week. For this reason, users are not advised to use a hacker tool to rescue data.

Users are advised to wait for the Emsisoft decryptor rather than use the one provided by the FonixCrypter gang. It may still contain malware and backdoors that victims may end up installing on their systems.recommends Michael Gillespie, an Emsisoft security researcher specialized in breaking ransomware encryption.

Although the ransomware worked and made money for its authors, it looks like the hackers really decided to scale back. For example, the group has already deleted its Telegram channel, where it usually advertised its malware to other criminals.

Read also about ransomware trends at the edge of 2021.

However, Recorded Future analysts note that the group immediately announced plans to launch a new channel in the near future. It is unknown if this new channel will be centered around some new malware. According to a message posted on Twitter, the hackers are planning to quit with ransomware and will allegedly use their abilities exclusively “in a positive way.”

Let me remind you that I also talked about the fact that Dharma ransomware source code put for sale.

The post FonixCrypter ransomware stopped working and published a key to decrypt data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fonixcrypter-ransomware-stopped-working-and-published-a-key-to-decrypt-data/feed/ 0 5052