Select Page
Slide 1

Weekly

Ransomware Roundup

May 23 - 27, 2022

PlayPlay
BlackCat/ALPHV Ransomware Hits Austrian State Asking $5 Million in Ransom

Austrian federal state Carinthia has been hit by the BlackCat ransomware gang, who demanded a $5 million to unlock the encrypted computer systems. The attack has caused severe operational disruption of government services, as thousands of workstations have allegedly been locked by the threat actor. Read more

Cheerscrypt Ransomware Targets VMware ESXi systems

Cheerscrypt, or Cheers, targets VMware ESXi servers in a double extortion attack. The ransomware needs to acquire privileged shell access or otherwise gain the ability to run commands on the host to encrypt the ESXi host. After which, the malware runs an esxcli command to terminate all VMs and seeks to encrypt files with .log, .vmdk, .vmem, .vswp, and .vmsn extensions. Read more

Somerset County Hit by a Ransomware Attack – County Databases Unavailable

Somerset County, New Jersey, was hit by a ransomware attack rendering county databases including land records, vital statistics, email, and probate records temporarily unavailable. Phone lines and emergency 911 communications remain unaffected. Clerk and surrogate services that depend on access to county databases were unavailable, while title searches were possible only on paper records dated before 1977. Read more

Exploitation of VMware Vulnerability Imminent Following Release of PoC

The Host header manipulation vulnerability, tracked as CVE-2022-22972, affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. It allows malicious actors with network access to the UI to bypass authentication. Penetration testing company Horizon3.ai has published a technical deep dive for CVE-2022-22972 and made public a PoC exploit. VMware has updated its initial advisory to inform customers about the availability of a PoC, which further increases the chances of exploitation. Read more

Log Archiving: What Challenges to Expect and How to Overcome Them

Traditional log archiving systems are built to focus on affordable long-term retention which is why most storage administrators use unreliable and insecure storage hardware such as tape arrays. This approach is costly in terms of time and resources, and risks business IT systems by being vulnerable to ransomware attacks. Read more

Enemybot Adds Exploits for Critical VMware Vulnerabilities

EnemyBot, a botnet based on code from multiple malwares, is expanding its reach by quickly adding exploits for recently disclosed vulnerabilities in web servers, content management systems, IoT, and Android devices. The ransomware launches distributed denial-of-service (DDoS) attacks and also has modules to scan for new target VMware devices to infect them by leveraging the remote code execution flaw (CVSS: 9.8). The new additions also impact F5 BIG-IP threatening vulnerable endpoints with device takeover. Read more

Promo
1PB Fully Air Gapped & Immutable Veeam Backup and DR appliance for $49,995

1PB Fully Air Gapped and Immutable Veeam Backup and DR appliance with Object Lockdown Technology for Ransomware protection & Instant multi VM recovery for $49,995.

This powerful 1PB DR365V site in a box leverages Veeam-integration using the built-in Air-Gapped network, power management controller repository and storage controller using fully automated and Veeam integrated isolation technology.

Fully Populated 1U, 4 bay head unit plus 60-bay 4U JBOD all filled with total of 64x16TB (1,024 TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 64GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

For hardware specifications and demos, contact us.

Slide 1

Weekly

Ransomware Roundup

May 16 - 20, 2022

PlayPlay
Angry IT admin wipes employer’s databases, gets 7 years in prison

Han Bing, a former database administrator for Lianjia, a Chinese real-estate brokerage giant, has been sentenced to 7 years in prison for logging into corporate systems and deleting the company's data using his administrative privileges and “root” access. This crippled large portions of Lianjia’s operations, leaving tens of thousands of employees without salaries for an extended period of time and forcing a data restoration effort that cost $30,000. Read more

REvil Variant Darkside Attacks Toshiba Tec Group

DarkSide ransomware, which cybersecurity experts found to be a REvil variant and also known to have triggered the shutdown of the Colonial pipeline, has attacked the European subsidiaries of the Toshiba Tec Group. The ransomware group hacked Toshiba’s IT systems in France, stole confidential files and claims to have stolen over 740 gigabytes of data that includes information on management, new businesses and personal data. Read more

Microsoft Warns of New PowerShell Wrapper Brute Force Attack Against SQL Servers

Microsoft has warned organizations of a new wave of brute force attacks that are targeting SQL servers using an uncommon living-off-the-land binary (LOLBin). The attackers use sqlps.exe, a PowerShell wrapper that supports the execution of SQL-built cmdlets allowing the attackers to run recon commands and to modify the start mode of the SQL service to LocalSystem enabling the malicious activity hidden from detection tools that hinders forensic analysis. Read more

What are air-gapped backups?

Air-gapping allows users to protect critical backups, snapshots, and replicas from ransomware infection even if production and backup servers are compromised. Learn what air-gapped backups are, what are the advantages, and how you can add air-gapping to your IT systems. Read more

PDF smuggles Microsoft Word doc to drop Snake Keylogger malware

Experts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware. Opening the PDF prompts the user to open a DOCX file contained inside, named "has been verified," creating a file prompt "The file 'has been verified,” tricking recipients into believing that Adobe verified the file as legitimate and that the file is safe to open. The file then runs the Snake Keylogger, a modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities. Read more

QNAP alerts NAS customers of new DeadBolt ransomware attacks

The Taiwan-based company has asked users to update their NAS devices to the latest software version and ensure that they're not exposed to remote access over the Internet. The QNAP Product Security Incident Response Team (QNAP PSIRT) said the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series. Once deployed on a NAS device, DeadBolt uses AES128 to encrypt files, appending a .deadbolt extension to their names. Read more

Promo
100TB-10PB ONLY 1000W $8,900 Air-Gapped & Immutable Veeam, Rubrik, CommVault, Site recovery Backup and DR appliance

NO matter 100TB or 10PB - Power ONLY 1000W. Benefits include 1) Low Power consumption, 2) Low cost, 3) Low maintenance, 4) Less Rack Space, 5) Low cooling need and built-in Zero Trust.

Green PetaByte Archive (GPA) is a Fully Air-Gapped and Immutable backup and DR appliance with SAN-NAS and S3 Object Lockdown Technology for Ransomware protection & Instant multi VM FastTrack recovery for Starting at $8,900.

For hardware specifications and demos, contact us.

Slide 1

Weekly

Ransomware Roundup

May 9 - 13, 2022

PlayPlay
Researchers Find Iranian Cyberspy Group “Charming Kitten” Launching Attacks on US Organizations

Researchers identified that a U.S. philanthropic organization had its network infiltrated by Charming Kitten using previously secured access which then prompted web shell deployment for dropping more files including a file named dllhost.exe. The malicious executable is a Go binary that appears to be in part based on the Fast Reverse Proxy (FRP) code available on GitHub. When executed, the dllhost.exe collects system information and sets up a communication tunnel with the command-and-control (C & C) server. The attack used BitLocker to encrypt workstations at the organization. Read more

Five Eyes Alliance Issues a Joint Advisory to Warn MSPs About Targeted Cyberattacks

The Five Eyes alliance of cybersecurity authorities from the US, UK, Australia, New Zealand, and Canada, has issued a warning to MSPs about cyberattacks that may have "globally cascading effects." According to the advisory, whether the customer's network is hosted on-premises or externally, threat actors can use a vulnerable MSP to gain initial access into multiple victim networks and can compromise the MSP through follow-on activity - such as ransomware and cyber espionage - as well as across the MSP's customer base in a supply chain attack. Read more

Post-Exploitation Framework Uses Memory Execution to Target Microsoft Servers

A post-exploitation framework “IceApple” is targeting global organizations that use Internet Information Services (ISS) - Microsoft's extensible web server software - and Microsoft Exchange servers since at least 2021. IceApple uses in-memory execution and unique stealth techniques to avoid detection. The malware can leverage the .NET framework and assemblies to target victims. Researchers say that IceApple shows persistence and long-running objectives aimed at intelligence collection, such as credential harvesting, file and directory deletion and data exfiltration. Read more

What You Need to Know about Cybersecurity Threats in 2022

Cybersecurity threats are aimed at accessing an organization’s sensitive data. In 2021, cyberattacks were at an all-time high, and they will not be slowing down any time soon. Learn how to protect Your data from cyberthreats in 2022. Read more

Pro-Russian Hacktivists Killnet Hit Italian Government Sites in ‘Slow HTTP’ DDoS attacks

Pro-Russian hacktivists known as Killnet attempted distributed denial of service (DDoS) attacks against crucial government sites including ministry, parliament, and even army websites using the "Slow HTTP" technique. This method is based on sending one HTTP request at a time to webservers but sets the request at a very slow transmission rate or makes it incomplete, leaving the server waiting for the next request which allocates resources to wait for the remaining data. Too many accumulated requests overwhelm the servers until it can no longer take further requests. Read more

Researchers Analyzed the Black Basta Ransomware Infection Routine

Black Basta, a new ransomware gang, swiftly rose to prominence in recent weeks after it caused massive breaches to organizations in a short span of time. Researchers found that the ransomware needs admin rights to run. After which, it removes shadow copies, disabled Windows recovery and repair, and boots the PC in safe mode – later encrypting files, creating a registry entry, and demanding ransom. Read more

Promo
42TB Physically Isolated and Detachable Veeam Air-Gap Node for $6,995

42TB purpose-built Physically isolated and detachable air-gap node for your mission-critical Veeam backups, snapshots and replicas are Offline by Default and accessible only when the node is in-use.

This DR365VIVA leverages Veeam-integration and enable storage administrators to set policies which automatically isolates the nodes using the built-in network and power controller and turns itself off once the backup job is done making it isolated from your production and backup environments.

8-bay 2U Rackmount unit, 3x14TB (42TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Dual Redundant Power Supply, 12Gb SAS Hardware RAID Controller. For more information, visit DR365VIVA air-gapped nodes webpage.

Slide 1

Weekly

Ransomware Roundup

May 2 - 6, 2022

PlayPlay
Costa Rica Declares Emergency After Conti Ransomware Attack

The Costa Rican President Rodrigo Chaves has declared a national emergency following cyber-attacks from Conti ransomware group on multiple government bodies. Conti has, so far, stolen 672GB of data and published 97% of it on their leak site. The leak site presently lists the finance ministry, ministry of labor and social security, the social development and family allowances fund, the Interuniversity Headquarters of Alajuela government departments purportedly affected by the attack. Read more

Lincoln College in Illinois to Shutdown Permanently After Ransomware Attack

Lincoln College in Illinois will shut down permanently this week after financial woes caused by the pandemic were magnified by a ransomware attack last December. The college’s finances were stretched thin due to the COVID-19 pandemic leading to a drop in enrollments and the large tech spendings for remote learning. The final blow came on December 19 when the college was hit by ransomware, which affected its IT systems for recruitment, retention and fundraising. Read more

US Agricultural Machinery Maker AGCO Hit by Ransomware Attack

AGCO, a leading US-based agricultural machinery producer, has announced it was hit by a ransomware attack impacting some of its production facilities. AGCO is a giant in the field, having a revenue of over $9 billion, employing 21,000 people, and owning brands like Fendt, Massey Ferguson, Challenger, Gleaner, and Valtra. As such, any production disruption caused by the ransomware attack could have a significant supply chain impact on the production and delivery of equipment. Read more

Experts Recommend Immutable Backups to Mitigate Ransomware Risks

Cybersecurity experts recommend immutable backups to protect sensitive information such as Personally Identifiable Information, Protected Health Information, etc. from ransomware attacks. Learn what immutable backups are and why do you need them. Read more

Fake Windows 10 Updates Being Used to Distribute Magniber Ransomware

Fake Windows 10 updates are being used to distribute the Magniber ransomware in a massive campaign that started earlier in April. These updates are distributed under various names, with Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi being the most common.
Read more

Backups Can’t Protect Your Data – You Need Air-Gapping and Immutability

Ransomware target the corporate impacting not just production but also connected storage devices and backup servers. As a result, backups alone aren’t enough to effectively protect your data from ransomware which is why experts recommend air-gapping and immutability. Read more

Promo
Veeam Cloud $50/TB Immutable and Air-Gapped Backup and Disaster Recovery

Veeam Cloud Backups with Integrated Immutable and Air-Gapped for $50/TB per month. Backup or Replicate, Spin-up in the cloud for $50/TB.

Need help with planning, installation, configuration, optimization, testing, or training? 24/7 Smart Protect remote backup and DR management plan available for your complete support needs. For demos and details, contact us.

WordPress PopUp Plugin

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email