Researchers have provided a case study on Nefilim, a ransomware operator that uses “double-extortion” tactics to ensure payment from victim organizations.
Ransomware is a form of malware that is created to encrypt compromised systems. Once it lands on a vulnerable machine — whether through a phishing message, software vulnerability, stolen access credentials, or other means — files and drives will be encrypted and can only be recovered with a decryption key.
The decryption key is the carrot dangled in front of victims, who are usually promised a key and the means to restore their systems in return for payment. When it comes to enterprise players, ransom demands can reach millions of dollars — and there is never a guarantee a key will be issued or will be technically suitable for restoration efforts.
The phrase “ransomware” has become a familiar one to the general public as week-on-week we hear of more cases.
In recent months, Colonial Pipeline suffered a ransomware outbreak that ended up causing fuel shortages across parts of the United States, and following an infection at Ireland’s national health service, the HSE is still experiencing “significant” disruption.
What makes ransomware different is the possibility of “double-extortion,” a relatively new tactic designed to ramp up the pressure on victims to pay up. During a cyberattack, ransomware operators including Maze, Nefilim, REvil, and Clops will steal confidential data and threaten to release or sell this information on a leak website.
On Tuesday, Trend Micro published a case study examining Nefilim, a ransomware group the researchers believe is, or was, associated with Nemty originally as a ransomware-as-a-service (RaaS) outfit.
Nemty appeared on the scene in 2019, but together with Sentinel Labs, Trend Micro says that Nefilim originated in March 2020.
Both actors, tracked by the firm as “Water Roc,” offered RaaS subscription services based on a 70/30 split, with margins reduced to 90/10 when high-profile victims were snagged by affiliates.
Trend Micro says that Nefilim often focuses on exposed Remote Desktop Services (RDP) services and public proof-of-concept (PoC) exploit code for vulnerabilities. These include CVE-2019-19781 and CVE-2019-11634, both of which are known bugs in Citrix gateway devices that received patches in 2020.
However, when unpatched services are found, exploit code is launched and initial access is obtained. Nefilim begins by downloading a Cobalt Strike beacon, Process Hacker — used to terminate endpoint security agents — the Mimikatz credentials dumper, and additional tools.
In one case documented by the team, Nefilim was also able to take advantage of CVE-2017-0213, an old vulnerability in Windows Component Object Model (COM) software. While a patch was issued back in 2017, the bug was still present and allowed the group to escalate their privileges to administrator levels.
The ransomware operators may also leverage stolen or easily-forced credentials to access corporate networks and for lateral movement.
MEGAsync may be used to exfiltrate data during attacks. Nefilim ransomware will then be deployed and will begin encrypting content. Extensions vary, but the group has been linked to the extensions .Nephilim, Merin, and .Off-White.
A random AES key for each file queued for encryption is generated. The malware will then decrypt a ransom note using a fixed RC4 key which provides email addresses for victims to contact them concerning payment.
“To enable file decryption in case the victim pays the ransom amount, the malware encrypts the generated AES key with a fixed RSA public key and appends it to the encrypted file,” the researchers say. “To date, only the attackers can decrypt this scheme as they alone own the paired private RSA key.”
When it comes to victims, Nefilim has been connected most often with attacks against organizations generating an annual revenue of $1 billion or more; however, the malware operators have also struck smaller companies in the past.
The majority of victims are in the US, followed by Europe, Asia, and Oceania.
“Modern attackers have moved on from widespread mass-mailed indiscriminate ransomware to a new model that is much more dangerous,” Trend Micro says. “Today, corporations are subject to these new APT-level ransomware attacks. In fact, they can be worse than APTs because ransomware often ends up destroying data, whereas information-stealing APTs are almost never destructive. There is a more pressing need to defend organizations against ransomware attacks, and now, the stakes are much higher.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
Customer experience now the top technology priority, but organizations aren’t quite ready
These days, everyone dreams of superior customer experience (CX), especially customers. Next in line are business leaders, who have finally started to see the light. Of course, that means the renewed pressure to pump up CX to, yeah, you guessed it — IT managers and professionals. However, getting everyone on the same page to deliver the goods is the hardest part of all.
The challenge was surfaced in a survey of 1,420 IT decision-makers released by RackSpace Technology, which found that focusing on CX implementations helps companies see greater rewards. Organizations that adopt a CX-led focus enjoy 1.6x higher brand awareness, 1.5x more employee satisfaction and nearly double their rates of customer retention, repeat purchases, average order values and customer lifetime value. “The research underscores the impact that modernizing applications to provide better customer experience can have on competitiveness and growth,” the survey’s authors add.
The rub, of course, is that building better CX systems is the easy part. Half of the IT executives in the survey, 50%, report that it can take weeks to gain consensus before implementing technology changes, such as deploying new applications or launching a transformation project. Another 42% say it takes months. “This lag in consensus building negatively impacts time to market. If teams can’t move agile and fail fast, they’ll be beaten to the punch by competitors who can move through concept, development and release faster,” the researchers report.
Even when people and strategy are aligned, CX technology teams still face technology-related barriers, the survey shows. As is common with adopting new technology, legacy IT (26%), budget (24%), skills gaps (22%) and expertise (18%) rank as top barriers. Cultural issues also weigh heavily in the list as represented by resistance to change (16%), lack of buy-in (16%) and lack of leadership support (13%).
Emotions dictate technology initiatives, and this survey confirms it. The top barrier reported was the fear of negatively impacting existing customer experience (28%), the survey also finds. “Organizations recognize that technology is needed to improve the customer experience but are still nervous about changing the existing customer experience by implementing new technology,” the survey’s authors state. “Despite the push to innovate and transform, respondents are aware that the learning curves of customer experience improvements can cause friction.”
The good news is that no one is objecting to the employment of tech to improve CX — 52% report little to no resistance to technology changes. Only 23% report resistance. “IT leaders can gather from this that stakeholders are interested in change where there’s a specific business case, such as customer experience, and that interest could translate into less resistance when it’s time to implement programs.”
For IT leaders, the results also confirm that CX is a main strategic priority (48%), ahead of IT security, compliance (45%) and IT strategy (41%), and that technology is the key to driving customer experience. Over half (55%) of survey respondents credit applications with enhancing customer experience. Moreover, almost all organizations surveyed understand the importance of CX, with 94% reporting that some form of user experience initiative is underway within their organization. Only a small percentage (6%) report having no CX strategies or initiatives in place.
Technology-Related Barriers to CX Development
- Fear of negatively impacting existing CX 28%
- Legacy IT systems 26%
- Limited budget 24%
- Complexity 23%
- Lack of staff with the appropriate skill sets 22%
- Lack of expertise to lead transformation activities 18%
- Unclear digital transformation strategy 18%
- Lack of a trusted partner/advisor to work on digital transformation activities 18%
Modern technology initiatives are prevalent, which ultimately is seen in smoother CX delivery. Six out of ten (63%) respondents are using technology to drive automation efficiencies and over half (51%) are using it to drive IoT and cloud native initiatives. Even more directly, technology initiatives focused on real-time data analysis (44%) and customer engagement (30%) are prevalent.
How Does Technology Drive your Corporate Strategy?
- Driving corporate strategy 63%
- Use intelligent automation to drive efficiencies 51%
- Leverage innovative technologies such as IoT and cloud native applications 46%
- Greater employee collaboration 44%
- Real-time data analysis/customer ‘pulse’ 40%
- Simplify decision making 30%
This app teaches you how to make your iPhone secure
A big part of making security work is educating users about the importance of it, and how quickly (and usually effortlessly) the bad guys can take advantage of our mistakes.
This is exactly what iVerify does.
First and foremost, iVerify is a security scanner that makes sure you are making use of the basic security features such as Face/Touch ID, Screen Lock, and are running the latest iOS version. It also runs a device scan that looks for security anomalies and gives you a heads up if something seems out of place.
It can be very hard to spot if an iPhone has been hacked, so having a tool installed that keeps an eye out for the telltale signs of intrusion offers piece of mind.
iVerify is also packed with guides that looks at the many different security features built into iOS, and how you can take advantage of them to secure your iPhone (or iPad).
There’s also a whole raft of other cool stuff, from information on securing your Apple, Facebook, Google, Instagram, Linkedin, and Twitter accounts, information on activating DNS over HTTPS, a periodic reboot reminder (a simple way to protect yourself from remote exploits), and even a page that offers the latest security news.
iVerify is a brilliant app that gets regular updates to keep the information fresh and up-to-date.
iVerify is not free — it costs $2.99 — but it’s truly worth the money if you take security seriously. Even if you know your around iOS well, you’re likely to learn a few new things from going through all the guides contained in this app.
iVerify requires iOS 13.0 or later or iPadOS 13 or later, and is compatible with iPhone, iPad, and iPod touch.
iVerify (version 17)
Just long-press on an app and see what pops up. It might be useful, it might not be. It depends on the app!
You can even do the same with built-in iOS features, such as Control Center. …
Avaddon ransomware group closes shop, sends all 2,934 decryption keys to BleepingComputer
Avaddon ransomware group, one of the most prolific ransomware groups in 2021, has announced that they are shutting the operation down and giving thousands of victims a decryption tool for free.
The file had decryption keys for 2,934 victims of the Avaddon ransomware. The startling figure is another example of how many organizations never disclose attacks, as some reports have previously attributed just 88 attacks to Avaddon.
Abrams worked with Emsisoft chief technology officer Fabian Wosar and Coveware’s Michael Gillespie to check the files and verify the decryption keys. Emsisoft created a free tool that Avaddon victims can use to decrypt files.
Ransomware gangs — like those behind Crysis, AES-NI, Shade, FilesLocker, Ziggy — have at times released decryption keys and shut down for a variety of reasons. A free Avaddon decryption tool was released by a student in Spain in February but the gang quickly updated their code to make it foolproof again.
“This isn’t new and isn’t without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations,” Wosar told ZDNet.
“Ultimately, the key database we obtained suggests that they had at least 2,934 victims. Given the average Avaddon ransom at about $600,000 and average payment rates for ransomware, you can probably come up with a decent estimate of how much Avaddon generated.”
Wosar added that the people behind Avaddon had probably made enough money doing ransomware that they had no reason to continue.
According to Wosar, ransom negotiators have been noticing an urgency when dealing with Avaddon operators in recent weeks. Negotiators with the gang are caving “instantly to even the most meager counter offers during the past couple of days.”
“So this would suggest that this has been a planned shutdown and winding down of operations and didn’t surprise the people involved,” Wosar explained.
Data from RecordedFuture has shown that Avaddon accounted for nearly 24% of all ransomware incidents since the attack on Colonial Pipeline in May. An eSentire report on ransomware said Avaddon was first seen in February 2019 and operated as a ransomware-as-a-service model, with the developers giving affiliates a negotiable 65% of all ransoms.
“The Avaddon threat actors are also said to offer their victims 24/7 support and resources on purchasing Bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom,” the report said.
“What’s interesting about this ransomware group is the design of its Dark Web blog site. They not only claim to provide full dumps of their victims’ documents, but they also feature a Countdown Clock, showing how much time each victim has left to pay. And to further twist their victims’ arms, they threaten to DDoS their website if they don’t agree to pay immediately.”
The group has a lengthy list of prominent victims that include Henry Oil & Gas, European insurance giant AXA, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, the Indonesian government’s airport company PT Angkasa Pura I, Acer Finance and dozens of healthcare organizations like Bridgeway Senior Healthcare in New Jersey, Capital Medical Center in Olympia, Washington and others.
The gang made a note of publishing the data stolen during ransomware attacks on its dark web site, DomainTools researcher Chad Anderson told ZDNet last month.
Both the FBI and the Australian Cyber Security Centre released notices last month warning healthcare institutions about the threat of Avaddon ransomware.
The notice said “Avaddon threat actors demand ransom payment via Bitcoin (BTC), with an average demand of BTC 0.73 (approximately USD $40,000) with the lure of a decryption tool offered (‘Avaddon General Decryptor’) if payment is made.”
The group was also implicated in multiple attacks on manufacturing companies across South America and Europe, according to the Australian Cyber Security Centre.
Cybersecurity firm Flashpoint said that alongside REvil, LockBit, and Conti, Avaddon was one of the most prolific ransomware groups currently active.
Digital Shadows’ Photon Research Team told ZDNet in May that a forum representative for the Avaddon ransomware took to the Exploit forum to announce new rules for affiliates that included bans on targeting “the public, education, healthcare, and charity sectors.”
The group also banned affiliates from attacking Russia or any other CIS countries. US President Joe Biden is expected to press Russian President Vladimir Putin on ransomware attacks at a summit in Geneva on June 16.
Genshin Impact Echoing Conch Locations Guide
Here are all the milestones in Fortnite Chapter 2, season 7
What Time Does Minecraft 1.17 Release?
Doge meme Shiba Inu dog to be auctioned off as NFT
How to Fly UFOs in Fortnite
MLB The Show 21 Kitchen Sink 2 Pack: Base Round Revealed
World Economic Forum Releases a DeFi Policy Toolkit for Fair and Executable Regulations
The Story Of The Boeing 777 Family
MUCK: How To Get The Best Weapon | Wyvern Dagger Guide
7th Global Blockchain Congress by Agora Group & TDeFi on June 21st and 22nd, 2021, Dubai.
Woonkly will be the official Title Sponsor of the 7th edition Global Blockchain Congress organized by Agora Group in Dubai
Free boxes and skins up for grabs in Brawl Stars to celebrate one-year anniversary of China release
April/May 2021 Top Campaigns
Death Cross is Appearing Over Bitcoin Price Chart
US Government Claws Back Crypto from Ransomware Scam as Feds Flex Growing Tech Muscle
Bitcoin (BTC) Officially a Legal Tender in El Salvador
US Fintech Broadridge Partners with Amazon Web Services to Expand Private Market Hub, Leveraging DLT
Crypto Fund Manager Says Bitcoin ETFs to be Approved By 2022
TC Energy Cancels Keystone XL Pipeline
Esports1 week ago
Rust PS4 Keeps Crashing
Esports1 week ago
Everything you need to know about the Goblin Drill, Clash Royale’s new card
Esports4 days ago
Genshin Impact Echoing Conch Locations Guide
Aviation1 week ago
American Airlines Generates Cash As Rebound Gathers Pace
Esports1 week ago
When does Clash Royale season 24 begin?
PR Newswire1 week ago
Guidehouse Designates US Markets Ripe for “Payvider” Adoption and Growth
Esports5 days ago
All 17 character locations in Collections in Fortnite Chapter 2, season 7
Esports6 days ago
How to complete Pokémon Go’s A Very Slow Discovery Collection Challenge
Esports1 week ago
Pokémon TCG Chilling Reign full card list
Esports1 week ago
PUBG Contraband Coupon: How to Earn Coupons
Esports1 week ago
How to complete TOTS Lazini’s objectives in FIFA 21 Ultimate Team
Esports6 days ago
Genshin Impact Kaedehara Kazuha Revealed