Saturday, December 10, 2022

New ransomware payment schemes.

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” 

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

logo


The Week in Ransomware - December 9th 2022 - Wide Impact

   

By Lawrence Abrams 

December 9, 2022 07:02 PM

Global pew pew map


This week has been filled with research reports and news of significant attacks having a wide impact on many organizations.


Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their email. On Tuesday, Rackspace finally confirmed everyone's fears that a ransomware attack caused the outage.



Rackspace has not provided any details on the attack, including the ransomware operation behind it and if the threat actors stole data.


However, today they began warning customers to be on the lookout for targeted phishing emails and to monitor their credit reports and banking account statements for suspicious activity. This warning could indicate that the ransomware operation likely stole data in the attack.


Another attack against a New Zealand MSP Mercury IT has also led to a series of outages for its customers, many of which are local governments in the country.


A ransomware attack on the André-Mignot teaching hospital in Paris has also led to significant disruption, causing some patients to be rerouted to other hospitals.


We also saw some interesting research by cybersecurity firms and the U.S. government this week:



The Cryptonite ransomware accidentally turned into a wiper.

A profile on the Vice Society ransomware operation and their targeting of schools.

The U.S. Department of Health and Human Services (HHS) began warning of Royal ransomware targeting healthcare.

Finally, Brian Krebs had a very interesting report on new tactics used by the Venus and Clop ransomware gangs to breach networks and convince victims to pay.


Contributors and those who provided new ransomware information and stories this week include: @struppigel, @PolarToffee, @Seifreed, @fwosar, @DanielGallagher, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @VK_Intel, @serghei, @malwrhunterteam, @malwareforme, @pcrisk, @Unit42_Intel, @Fortinet, @briankrebs, @morphisec, @smgoreli, and @Phylum_IO.


December 5th 2022

Ransomware attack forces French hospital to transfer patients

The André-Mignot teaching hospital in the suburbs of Paris had to shut down its phone and computer systems because of a ransomware attack that occurred on Saturday evening.


The Story of a Ransomware Turning into an Accidental Wiper

In the last issue of our Ransomware Roundup series, we discussed a publicly available open-source ransomware toolkit called Cryptonite. As part of that investigation, we also discovered a Cryptonite sample in the wild that never offers the decryption window, instead acting as a wiper. We recently saw an increase in ransomware intentionally turned into wiper malware, primarily as part of a political campaign. So in this post, we take a closer look at the Cryptonite wiper sample.



Ransomware attack on New Zealand MSP

There has been a cyber security incident involving a ransomware attack on Mercury IT. Mercury IT provides a wide range of IT services to customers across New Zealand.


New Puspa2 ransomware

PCrisk found a HiddenTear variant valled Puspa2 that appends the .puspa2#mejukeni7sala029 extension and drops a ransom note named XXX_HELLO'S_READ_ME._txt.


New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .mppn or .mbtf extensions to encrypted files.


December 6th 2022

Rackspace confirms outage was caused by ransomware attack

Texas-based cloud computing provider Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage described as an "isolated disruption."



Vice Society: Profiling a Persistent Threat to the Education Sector

Vice Society is a ransomware gang that has been involved in high-profile activity against schools this year. Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include the HelloKitty (aka FiveHands) and Zeppelin strains of ransomware as opposed to Vice Society developing their own custom payload.


New Babuk Ransomware Found in Major Attack

During November, Morphisec identified a brand-new variant of Babuk ransomware while investigating a customer's prevention event. Babuk was first discovered at the beginning of 2021, when it began targeting businesses to steal and encrypt data in double-extortion attacks. Later in the year, a threat actor leaked the complete source code for Babuk on a Russian-speaking hacking forum.


New Obz ransomware

PCrisk found a new ransomware variant that appends the .OBZ extension and drops a ransom note named ReadMe.txt.


December 8th 2022

CommonSpirit Health ransomware attack exposed data of 623,000 patients

CommonSpirit Health has confirmed that threat actors accessed the personal data for 623,774 patients during an October ransomware attack.



US Health Dept warns of Royal Ransomware targeting healthcare

The U.S. Department of Health and Human Services (HHS) issued a new warning today for the country's healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal ransomware gang.


New Ransom Payment Schemes Target Executives, Telemedicine

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider tradition.

Rackspace warns of phishing risks following ransomware attack

Cloud computing provider Rackspace warned customers on Thursday of increased risks of phishing attacks following a ransomware attack affecting its hosted Microsoft Exchange environment.


An Ongoing Attack Against Python and Javascript Developers

Overnight we saw a flurry of activity around typosquat of the popular requests package. In the malicious packages themselves the attacker has embedded the following:


To provide some context, Phylum found a NPM/PyPi campaign where python packages were distributing Linux and Windows malware that pretended to be ransomware. After testing the ransomware, BleepingComputer has confirmed it does not actually encrypt anything and just drops a ransom note and changes the desktop wallpaper.


The actor behind this told BleepingComputer that they are just "playing" around and will not be adding encryption.


New MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .allock[number] extension and drops a ransom note named how_to_back_files.html.


New VoidCrypt variant

PCrisk found a new VoidCrypt variant that appends the .Juli extension and drops a ransom note named unlock-info.txt.


That's it for this week! Hope everyone has a nice weekend!


Sunday, October 30, 2016

Q4OS Rocks!

Q4OS Rocks!

Last week I recieved an old IBM Thinkpad laptop with no hard drive.
Hmmm, I thought, I bet I could run Linux on that. Yep, so here is what I did.
I checked out Q4OS, a light Linux disto from http://q4os.org

The website for Q4OS provides the following description:
"A fast and powerful operating system based on the latest technologies while offering highly productive desktop environment. We focus on security, reliability, long-term stability and conservative integration of verified new features. System is distinguished by speed and very low hardware requirements, runs great on brand new machines as well as legacy computers. It is also very applicable for virtualization and cloud computing."
The above text could easily be displayed on the website for a dozen different distributions. I was intrigued however as to what I would get for the 400 megabytes and what I found was surprising, very surprising.

How To Get Q4OS

You can download Q4OS from http://q4os.org/downloads1.html.
You can either download the live CD at 644 megabytes or do as I did and go for the 388 megabyte download which just provides the installer and no live experience. 
Personally, I recommend trying a live version out first in case there are any problems. You won't want to find out about afterwards and it helps to get a good feel of the distribution.
I went for the live CD and blew away the previous distribution that was residing on my USB drive and installed onto that. I created a 4Gb swap partition on the 16 Gb USB stick and booted the laptop from it.

Q4OS is based on Debian Stable and therefore the installer is pretty much the same one. It isn't difficult to install but there are a lot of steps.
You can also buy a CD from here.

First Impressions



















If it wasn't for the Trinity icon in the bottom left corner and the welcome screen you could be forgiven for thinking that you had just booted into an older version of Windows.

There are icons on the desktop for "My Documents", "My Computer", "My Network Places" etc.

The Windows theme continues throughout the distribution including the method used to add networks and set up printers.






















The menu is very old school expanding from left to right as you click through the categories. There are two things to point out at this stage and that is the performance is insanely good but navigating through menus in this fashion is time consuming.

On the Welcome window there is an option to switch to the Kickoff menu. This is much more modern and includes a search function.




















Connecting To The Internet

Connecting to the internet is a fairly standard affair. Click on the network icon in the system tray (may as well call it a system tray, this could be Windows) and select the network. You will need to enter a password if your network requires one.




The Welcome Screen

The welcome window has some key features on it which are definitely useful.
As I chose to install from the installation CD only a base set of applications were installed such as a terminal window, text editor and other KDE centric tools. There is an option on the Welcome screen called "Desktop Profiler" which lets you install a whole set of applications applicable for desktop computing. The choices are for a fully featured desktop, a basic set of applications or just the Q4OS installation as it is.

I think this is a neat touch. The initial download of Q4OS is kept to under 400 megabytes and if I didn't need LibreOffice and other such tools I wouldn't be forced to have applications installed that I didn't require. If I subsequently decide that I need these tools I can click one button and they are downloaded and installed and that download is only around 400 megabytes as well.
Another button on the welcome screen allows you to install multimedia codecs. This will allow you to play MP3 audio and watch DVDs.

The Welcome screen has a button allowing you to install other applications. If you have already chosen to install the fully featured desktop then many of the applications highlighted in the "Install Applications" window will already be installed such as Google's Chrome browser.
There are some decent applications that many people will want to have installed available for installation without having to search the repositories such as Dropbox, Skype, WINE and even Teamviewer. If the application that you want isn't listed you can always launch Synaptic which is the default package manager.
Other options in the Welcome screen include to toggle desktop effects on and off, switch between the classic and modern menus and also choose whether to login automatically.

Customising The Desktop

One thing you will notice is that the dialogue windows all look similar to old school Microsoft dialogues. To be able to change your desktop wallpaper for instance you have to right click on the desktop and choose the customise desktop option from the very windowsy context menu.
As you can see from the image to the left the desktop configuration settings window could be taken straight out of Windows NT or 2000. Having said all this, the actual navigation and dialogue windows are actually all very functional and easy to follow. Q4OS has a nice selection of wallpapers and screensavers available evidence of which is shown below.

Applications

The applications included (when you choose the fully featured desktop) are as follows:
  • LibreOffice - Office Suite
  • Pinta - Image Editor
  • Shotwell - Photo Manager
  • Google Chrome - Web Browser
  • Thunderbird - Email Client
  • VLC - Media Player
There are also a number of KDE based tools such as Konqueror, Krusader and Konsole.
The one thing really missing from the installation and from the list of applications in the installation screen (from the Welcome window) is a good audio player which brings us nicely onto the next section.

Installing Applications

Fortunately there is none of that pfaffing around with Software Centres within Q4OS. Good old Synaptic is the package manager of choice.
It isn't the prettiest tool out there but Synaptic is functional and fairly easy to use with a list of categories down the left, the applications in the top right and a description of a selected application in the bottom right. There is also a decent search facility. When you have found what you wish to install place a check in the box to mark it and then press the "Apply" button.
Therefore if you need a decent audio application search for "Clementine" and install it.

MP3 Audio


















As Q4OS doesn't come with its own audio player (although you can play music through VLC) I recommend installing Clementine. I also recommend installing the multimedia codecs from the welcome screen.

Clementine in my opinion is the best audio player that Linux has to offer. It has a really clean and crisp interface and makes lining up and playing your music simple.

Video

The default video player is VLC and it isn't just the best video player on the Linux platform but on any platform. You can choose to play videos from your local disks, DVDs, a network stream or from the internet.

Printing

A common misconception that new users to Linux have is that their hardware isn't catered for and even if it is you need to type in loads of commands to get it working. 
This may have been true 15 years ago but now it is easier to set up printers on the best Linux distributions than it is on Windows. In Q4OS the method required to set up a printer is very similar to how you would do it with Windows. Simply select the Start button, then settings, printers and finally click the "add printer" button. I didn't need to insert a disk to install my wireless printer. I just selected the one that was offered to me and it was ready to go. Quite frankly phenomenal.


Network Storage

I have a Western Digital MyCloud device which I can honestly say is the biggest pile of rubbish I have ever bought. (A network storage device which requires an ethernet connection in 2015 is just nonsense. Worse than that, it keeps losing its connectivity and so you have to restart the stupid thing.)

Connecting to it from Q4OS however worked a charm.
All I needed to do was select "Start" -> "Settings" -> "Network Connections" from the menu and then "Add Connection" and a list of the devices on my network appeared.
Simply double clicking on the WDMyCloud device showed all the folders available.
Once again, phenomenal.




Flash

With regards to Flash you are covered on two fronts, first of all there is the ability to install multimedia codecs and then one of the applications installed is the Google Chrome browser.
Nothing more to say, it just works. (well, as well as Flash works, in its creaky, more security holes than a death star kind of way).

Summary

It is hard to know what to think of Q4OS. It looks like Windows did about 10 years ago. 
The crazy thing is though that it really works and it works better than most of the other Linux distributions I have tried over the past 10 years. Everything is oddly where you would expect it to be and everything really does just work. I didn't have a single program cause issues and the performance is astounding. Quite honestly I can't fault this as a distribution and I am surprised it isn't more popular. I highly recommend this distribution to all users who are on older or low end computers. I also recommend it to people who want to try Linux without getting their hands too dirty.