Pardon the Intrusion #25: Ransomware goes pro

Pardon the Intrusion #25: Ransomware goes pro

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

Ransomware is quickly shaping up to be one the most significant online security threats of our era. And there’s no end in sight.

Although it’s been around for several decades, the first instance of what we now know as ransomware was documented in 1989.

Known as AIDS or the PC Cyborg Trojan, the malware targeted the healthcare sector via floppy disks. It counted the number of times a computer booted, and once this count hit 90, the ransomware encrypted all the files and asked the user to ‘renew their license’ by contacting ‘PC Cyborg Corporation’ and sending $189 or $378 to a post office box in Panama.

Since then these tried-and-tested moneymakers have evolved; they use more convincing phishing lures and they’ve become far more widespread.

Take some recent examples. The University of California, after a NetWalker attack on its systems back in June, negotiated with the hackers for a week before coughing up 116 bitcoin (or $1.14 million). Their original demand was a $3 million ransom.

According to a McAfee analysis published earlier this month, the NetWalker ransomware gang has netted as much as $25 million since March 2020, with some of the payments made following their expansion to the Ransomware-as-a-Service (RaaS) model.


“Essentially, [RaaS] works as a rental, with a group of hackers renting malware to cybercriminal customers with varying levels of involvement,” Gemini Advisory said in a recent report. “Some may offer just the malware and the decryption keys, while others offer a full package.”

One other worrying trend spotted since last year is “double extortion.” Content with not just encrypting the target’s files, the criminal gangs steal that data before deploying the ransomware, and hold it hostage in hopes that the victims will pay up rather than risk having their information leaked.

In what’s likely another case of NetWalker ransomware last month, the University of Utah ended up paying a $457,000 ransom to “ensure information was not released on the internet” despite having recovered the encrypted data from backups.

With many of the affected businesses lacking basic security hygiene, the bigger concern is the increasing spate of ransomware attacks will embolden cybercriminals to raise the stakes even higher.

When travel company CWT was struck by Ragnar Locker ransomware, it settled with the operators for a ransom of 414 bitcoin ($4.5 million).

“It’s a pleasure to work with professionals,” a Support person working on behalf of the ransomware gang said in a chat after handing over the decryption keys. “However we will keep the chat room and will be here for your support.”

What’s trending in security?

Instagram fixed a flaw that retained photos and private direct messages on its servers even after they were deleted by its users, state-sponsored North Korean hackers targeted the Israeli Defense Industry, and Ukraine arrested three men who allegedly ran 20 crypto-exchanges and laundered more than $42 million for ransomware gangs.

  • The New Zealand stock exchange (NZX) was knocked offline three days in a row after being hit by a distributed denial-of-service attack. [NZ Herald]
  • A deep-dive into NSO Group, one of the most secretive surveillance companies in the world and the maker of Pegasus mobile spyware. The company has courted controversies for selling the tool to governments which have misused Pegasus to track human rights activists and journalists around the world. [MIT Technology Review – Part I / Part II]
  • Criminals are using so-called Russian SIMS, or “white” SIMs, to spoof phone numbers and add voice manipulation to calls in real-time. [Motherboard]
  • Researchers detailed unfixed flaws with mesh messaging service Bridgefy that could let attackers deanonymize users and read messages. [Ars Technica]

  • Joe Sullivan, Uber’s former security chief who currently serves as Cloudflare’s security head, was charged with attempting to conceal a massive data breach that saw hackers steal 57 million user accounts of Uber drivers and passengers. [The New York Times]
  • The NSA and FBI exposed a new Russian GRU-built, Linux-based hacking tool, called Drovorub, capable of carrying out cyber espionage operations. The US Cybersecurity and Infrastructure Security Agency (CISA) detailed BLINDINGCAN, a strain of malware that has been deployed by North Korean government hackers targeting military defense and aerospace sectors. [NSA / CISA]
  • With Twitter becoming the latest victim of “phone spearphishing,” the FBI and CISA warned of an ongoing voice phishing (or vishing) campaign targeting remote workers in the US aimed at stealing login credentials for corporate networks/VPNs. [Brian Krebs]
  • More than half of foreign cyberattacks against China in 2019 originated in the US (53.5%), according to China’s Computer Emergency Response Team. Russia and Canada came second and third. [South China Morning Post]

  • Malicious Xcode developer projects for macOS are being used to spread the XCSSET suite of malware, which comes with capabilities to hijack Safari web browsers and inject various malicious payloads that can steal passwords, financial data and personal information, and deploy ransomware. [Trend Micro]
  • Last year, GitHub launched a new Security Lab to secure open-source software. Now the company, along with Google, IBM, JPMorgan Chase, Microsoft, and Red Hat have joined hands to form the Open Source Security Foundation with an aim to improve the security of open-source software. [OpenSSF]
  • The US alerted about an ongoing government-led hacking campaign by North Korean hackers it calls “BeagleBoyz” focused on stealing millions from ATMs around the world. [CISA]
  • By exploiting a flaw in IoT connectivity chips, IBM’s team of researchers uncovered a way to bypass security checks to access secured data in millions of IoT devices. The vulnerability was fixed in February early this year. [IBM]
  • The fortnight in data breaches, leaks and ransomware: Carnival Corp, Cense.AI, Experian South Africa, Freepik, Moneed, RailYatri, and Utah Gun Exchange.

Data Point

According to Symantec’s Threat Landscape Trends report for the second quarter of 2020, browser-based cryptocurrency mining — also known as cryptojacking — increased a whopping 163% compared to the previous quarter. “This spike in activity coincides with an increase in the value of cryptocurrencies, including Bitcoin and Monero, which are two currencies often mined by browser-based coinminers,” the report said.

Tweet of the week

Tesla CEO Elon Musk apologized for being “embarrassingly late” to the two-factor authentication (2FA) game. Better late than never!

That’s it. See you all in two weeks. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)

Read next: Why slacking off is my high productivity tool