Firewall Firm is a Managed Cyber Security Company in India
Home » Tag: ransomware attack

Tag Archives: ransomware attack

Home » Tag: ransomware attack

Kaseya Ransomware Attack Affected Up to 1,500 Businesses, CEO Says

Kaseya Ransomware Attack Affected Up to 1,500 Businesses, CEO Says

Kaseya CEO Fred Voccola said in an interview that it was hard to estimate the precise impact of the recent attack.

The hackers who claimed responsibility for the breach have demanded $70 million (roughly Rs. 520 crores)

The hackers who claimed responsibility for the breach have demanded $70 million (roughly Rs. 520 crores)

The hackers who claimed responsibility for the breach have demanded $70 million (roughly Rs. 520 crores)

Between 800 and 1,500 businesses around the world have been affected by a ransomware attack centered on US information technology firm Kaseya, its chief executive said on Monday.

Fred Voccola, the Florida-based company’s CEO, said in an interview that it was hard to estimate the precise impact of Friday’s attack because those hit were mainly customers of Kaseya’s customers.

Kaseya is a company which provides software tools to IT outsourcing shops: companies that typically handle back-office work for companies too small or modestly resourced to have their own tech departments.

  • Ransom of $70 Million Demanded by Kaseya Hackers to Restore Data

One of those tools was subverted on Friday, allowing the hackers to paralyse hundreds of businesses on all five continents. Although most of those affected have been small concerns – like dentists’ offices or accountants – the disruption has been felt more keenly in Sweden, where hundreds of supermarkets had to close because their cash registers were inoperative, or New Zealand, where schools and kindergartens were knocked offline.

The hackers who claimed responsibility for the breach have demanded $70 million (roughly Rs. 520 crores) to restore all the affected businesses’ data, although they have indicated a willingness to temper their demands in private conversations with a cybersecurity expert and with Reuters.

“We are always ready to negotiate,” a representative of the hackers told Reuters earlier Monday. The representative, who spoke via a chat interface on the hackers’ website, didn’t provide their name.

  • White House Says Reaching Out With Assistance to Latest Ransomware Victims

Voccola refused to say whether he was ready to take the hackers up on the offer.

“I can’t comment ‘yes,’ ‘no,’ or ‘maybe’,” he said when asked whether his company would talk to or pay the hackers. “No comment on anything to do with negotiating with terrorists in any way.”

The topic of ransom payments has become increasingly fraught as ransomware attacks become increasingly disruptive – and lucrative.

  • Ransomware Breach at Florida IT Firm Kaseya Hits 200 Businesses

Voccola said he had spoken to officials at the White House, the Federal Bureau of Investigation, and the Department of Homeland Security about the breach but declined to say what they had told him about paying or negotiating.

On Sunday the White House said it was checking to see whether there was any “national risk” posed by ransomware outbreak but Voccola said that – so far – he was not aware of any nationally important organizations being hit.

“We’re not looking at massive critical infrastructure,” he said. “That’s not our business. We’re not running AT&T’s network or Verizon’s 911 system. Nothing like that.”

Because Voccola’s firm was in the process of fixing a vulnerability in the software that was exploited by the hackers when the ransomware attack was executed, some information security professionals have speculated that the hackers might’ve been monitoring his company’s communications from the inside.

Voccola said neither he nor the investigators his company had brought in had seen any sign of that.

“We don’t believe that they were in our network,” he said. He added that the details of the breach would be made public “once its ‘safe’ and OK to do that.”

Some experts believe the full fallout from the hack will come into focus on Tuesday, when Americans return from their July Fourth holiday weekend. Beyond the United States, the most notable disruption occurred in Sweden – where hundreds of Coop supermarkets had to shut their doors because their cash registers were inoperative – and in New Zealand, where 11 schools and several kindergartens were affected.

In their conversation with Reuters, the hackers’ representative described the disruption in New Zealand as an “accident.”

But they expressed no such regret about the disruption in Sweden.

The supermarkets’ closure was “nothing more than a business,” the representative said.

About a dozen different countries have had organizations affected by the breach in some way, according to research published by cybersecurity firm ESET.

Kaseya July 2021 ransomware incident

Fujifilm becomes the latest victim of a network-crippling ransomware attack

Japanese multinational conglomerate Fujifilm has been forced to shut down parts of its global network after falling victim to a suspected ransomware attack.

Fujifilm becomes the latest victim of a network-crippling ransomware attack

Fujifilm becomes the latest victim of a network-crippling ransomware attack

The company, which is best known for its digital imaging products but also produces high-tech medical kit, including devices for rapid processing of COVID-19 tests, confirmed that its Tokyo headquarters was hit by a cyberattack on Tuesday evening.

“Fujifilm Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” the company said in a statement posted to its website.

“We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities.

“We are currently working to determine the extent and the scale of the issue. We sincerely apologize to our customers and business partners for the inconvenience this has caused.”

As a result of the partial network shutdown, Fujifilm USA added a notice to its website stating that it is currently experiencing problems affecting all forms of communications, including emails and incoming calls. In an earlier statement, Fujifilm confirmed that the cyberattack is also preventing the company from accepting and processing orders.

Fujifilm has yet to respond to our request for comment.

While Fujifilm is keeping tight-lipped on further details, such as the identity of the ransomware used in the attack, Bleeping Computer reports that the company’s servers have been infected by Qbot. Advanced Intel CEO Vitali Kremez told the publication that the company’s systems were hit by the 13-year-old Trojan, typically initiated by phishing, last month.

The creators of Qbot, also known as QakBot or QuakBot, have a long history of partnering with ransomware operators. It previously worked with the ProLock and Egregor ransomware gangs, but is currently said to be linked with the notorious REvil group.

“Initial forensic analysis suggests that the ransomware attack on Fujifilm started with a Qbot trojan infection last month, which gave hackers a foothold in the company’s systems with which to deliver the secondary ransomware payload,” Ray Walsh, digital privacy expert at ProPrivacy, told TechCrunch. “Most recently, the Qbot trojan has been actively exploited by the REvil hacking collective, and it seems highly plausible that the Russian-based hackers are behind this cyberattack.”

REvil, also known as Sodinokibi, not only encrypts a victim’s files but also exfiltrates data from their network. The hackers typically threaten to publish the victim’s files if their ransom isn’t paid. But a site on the dark web used by REvil to publicize stolen data appeared offline at the time of writing.

Ransomware attacks have been on the rise since the start of the COVID-19 pandemic, so much so that they have become the biggest single money earner for cybercriminals. Threat hunting and cyber intelligence firm Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020, and that the average ransom demand increased more than twofold to $170,000.

At the time of writing, it’s unclear whether Fujifilm has paid any ransom to the hackers responsible for the attack on its systems.

Preventing Ransomware

How can we avoid\prevent a ransomware attack

Since last few years ransomware has evolved into one of the biggest threats to cyber security, the number of cases reported each day is growing exponentially. These attacks are spread across globe. As a proactive measure, we are hereby notifying our clients on the measures required to enhance security posture towards securing web sites and web servers.

What is ransomware?

Ransomware is a malware that stealthily gets installed in your PC or mobile device and holds your files or operating system functions for ransom. It restricts you from using your PC or mobile device, and from accessing your files (files are sometimes locked or encrypted), unless you pay the ransom (in exchange for file decryption).

Paying the ransom (either through credit card or Bitcoins) however, does not guarantee that you’ll get your files back. Prevention is still way better than allowing yourself to be infected and then trying to find a cure.

 What does a ransomware attack look like?

Ransomware targets your pictures, documents, files, and data that are personally invaluable.

You can tell that you are under attack when you see any of the following:

  • Ransomware note
  • Encrypted files
  • Renamed files
  • Locked browser
  • Locked screen

Files on the computer will be encrypted with unknown format and it will be unrecognizable:
ransomware-format

When can a ransomware attack start?

ransomware-start

 

 

 

 

 

 

 

 

Potential victims can fall into the ransomware trap if they are:

  • Browsing untrusted websites
  • Not careful about downloading or opening file attachments which are known to contain malicious code from spam emails. That also includes compressed files or files inside archives. Some possible attachments can be:
    • Executables (.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, etc.)
    • Office files that support macros (.doc, .xls, .docm, .xlsm, .pptm, etc.)
  • Installing pirated software, outdated software programs or operating systems
  • Using a PC that is connected to an already infected network

How can we avoid\prevent a ransomware attack :

  1. Do not keep password which is easy to crack. Please do not use “password” variants in the password. Ex : P@ssw0rd12, Pass1234. change to complex, kindly use http://passwordsgenerator.net/
  1. Implement IP based access lists on firewall rules in Cloud, restrict use of configuration allowing server access from “Any” in source.
  1. Keep backups of your files, either by copying the files to an offline location or by availing Veritas NetBackup/Commvault Backup services from NxtGen.
  1. Replication services with 24 hours checkpoint can help you restore the server to the state prevailed before the attack was executed
  1. Keep your operating system, antivirus, and installed software patches up to date.
  1. Avoid suspicious websites, emails, and files online, which might hide Trojans which can get downloaded to your computer
  1. Disable remote access from unknown sources, Restrict RDP access from ANY .  IT should be immediately changed to access from specific IP on specific port only.
  1. Avoid running Macros on the server
  1. In some cases, brute force attack is employed to gain access to the system, where the default user accounts are tried for different passwords using password cracking software’s.
  1. Disable the default user accounts ex : guest, admin, administrator . Keep user names which are difficult to guess.
  1. Please provide admin access to user accounts only if necessary, if a user with admin access downloads a malware from infected website, it might infect all the systems connected in a local network
  1. Enable user account lockout if multiple attempts are made to login to the server.
  1. Employ SSL certificate to access website and by defining authorized browsers to be used to access the websites.
  1. Selectively allow few necessary firewall ports. Block all unwanted ports.
  1. Please do not allow hacker to discover your server by scanning on essentials ports.  If you are allowing DNS, AD, database ports to be accessed through the public network, your server is more prone to these attacks.
  1. Restrict user accounts based on the role
  1. There is very little chance of decrypting the files since these ransomware uses High end encryption.

Few references:

https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/

https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

http://www.computerweekly.com/feature/How-to-avoid-being-caught-out-by-ransomware

https://blogs.technet.microsoft.com/mmpc/2014/08/12/fireeye-and-fox-it-tool-can-help-recover-crilock-encrypted-files/

https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html

Prevent a ransomware attack white paper

Read More »