This week’s round up…
- Italian City of Palermo most likely the target of a ransomware attack
- HelloXD says Hello World
- BlackCat marches on
- Maybe don’t advertise your ransomware on Instagram?
- Burn out in the uphill climb against ransomware
- Confluence under attack
Italian City of Palermo most likely the target of a ransomware attack
Last week, Bill Toulas at Bleeping Computer reported on a disruption in services of Palermo, a city in Italy. Residents (of which Palermo is home to 1.3 million) were – and reportedly still are - unable to access digital services, but questions remained at the time of publication if the outage was a result of a DDoS or a ransomware attack.
“Italy recently received threats from the Killnet group, a pro-Russian hacktivist who attacks countries that support Ukraine with resource-depleting cyberattacks known as DDoS (distributed denial of service),” Toulas wrote in the article. “While some were quick to point the finger at Killnet, the cyberattack on Palermo bears the signs of a ransomware attack rather than a DDoS.”
This week, Alicia Hope at CPO Magazine reported that Vice Society – a known ransomware operator – claimed responsibility.
“The Italian website Cybersecurity360.it reported that hackers accessed sensitive documents such as birth, marriage, family, and residence status certificates. Camassa said SISPI had taken the necessary measures to mitigate data violations,” Hope reported.
HelloXD says Hello World
Palo Alto’s Unit 42 researchers released a report on the HelloXD strain of ransomware, which is noteworthy because the operator has not resorted to double extortion techniques and the payload seems to have “very similar core functionality to the leaked Babuk/Babyk source code.”
“HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems,” the researchers wrote in the report. “Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.”
BlackCat marches on
The BlackCat ransomware came to widespread awareness in November of 2021 as one of the first strains to leverage the Rust programming language. Rust is known to be fast and cross-platform – meaning that the malware can be run on Microsoft Windows, Apple MacOS or Linux – which provides obvious advantages to malicious actors.
The Microsoft 365 Defender Threat Intelligence Team released a report that digs into further details surrounding this threat, including increased adoption as the team “observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat.”
It is worth noting that the ransomware strain is a product of a Ransomware as a Service (RaaS) group, which means that the developers of the malware usually are not responsible for performing the breaches. As a result, attackers can switch their payloads of choice much as a legitimate company would change software vendors.
“Microsoft tracks one of these affiliate groups as DEV-0237. Also known as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022. Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies,” the researchers wrote.
In further example to the increased proliferation of the ransomware strain, Damien Black at Cyber News reported that the University of Pisa fell victim to the BlackCat and was “issued a ransom note for Saturday’s attack, giving the university administration until June 16 to pay $4.5 million.”
Ransomware gang reveals tool for victims to search for their own data
Brian Krebs reported on a tool developed by the BlackCat RaaS group that allows victims to search for their stolen data, which would be laudable if not for the theft and extortion bits.
“The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form,” Krebbs reported.
Maybe don’t advertise your ransomware on Twitter?
Lorenzo Franceschi-Bicchierai at Vice reported on a facepalm inducing moment of either hubris or idiocy this week when a ransomware operator touted their wares on social media site Instagram. The malware research group vx-underground revealed the advertisement and warned against such … hubris (editor’s note: the editorial staff at Halcyon struggled to find the appropriate term here).
“The hacker’s Instagram account has more than 20,000 followers. As of this writing, the ad is gone from the account’s Stories, which instead include a shot of — presumably — the hacker driving a BMW and holding what appears to be a joint in his hand, which does not look like it’s lit,” Franceschi-Bicchierai reported.
The ransomware author has since deleted their Instagram account.
Burn out in the uphill climb against ransomware
We can add additional human costs to the struggle against ransomware as Owen Hughes of ZDNet reports the stress that cybersecurity professionals are under is taking its toll. “More than 90% of cybersecurity professionals are stressed in their roles, with a ‘significant proportion’ of professionals conceding that this is negatively impacting their ability to do their jobs,” Hughes quoted a report from cyber security firm Deep Instinct.
The report cites multiple causes for the increased strain, including the increased velocity of ransomware attacks and changes in the network perimeter elicited by the move to remote work. “Cyber criminals have benefitted from the move to remote working, with ransomware incidents having increased significantly during the past two years,” Owens again quoted the report. These findings are especially worrying given organizations’ struggle to fill cybersecurity positions.
Confluence under attack
A vulnerability in the server-hosted version of Atlassian’s very popular documentation solution, Confluence, is under active attack reports Jaikumar Vijayan at Dark Reading.
“Researchers from Sophos have observed several attacks over the past two weeks in which attackers used automated exploits against vulnerable Confluence instances running on Windows and Linux servers. In at least two of the Windows-related incidents, adversaries exploited the Atlassian vulnerability to drop Cerber ransomware on the victim networks, the security vendor said in a report Thursday,” Vijayan wrote in the article.
It's important to note that the cloud-hosted version of Confluence is not mentioned in this report, but the vulnerability possibly gives attackers access to very sensitive data.
Thanks to the reporters and researchers
Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.
Bill Toulas at Bleeping Computer for their reporting on Italian city of Palermo shuts down all systems to fend off cyberattack.
Alicia Hope at CPO Magazine for their reporting on Ransomware Attack Disrupted Municipal Services in the Italian City of Palermo.
Daniel Bunce at Unit 42 for their reporting on Exposing HelloXD Ransomware and x4k.
Doel Santos at Unit 42 for their reporting on Exposing HelloXD Ransomware and x4k.
Microsoft 365 Defender Threat Intelligence Team at Microsoft for their reporting on The many lives of BlackCat ransomware - Microsoft Security Blog.
Damien Black at Cybernews for their reporting on University of Pisa held to ransom for 4.5m euros.
Brian Krebs at Krebs on Security for their reporting on Ransomware Group Debuts Searchable Victim Data.
Lorenzo Franceschi-Bicchierai at Vice for their reporting on Hacker Advertises ‘Crappy’ Ransomware on Instagram.
Owen Hughes at ZDNet for their reporting on The unrelenting threat of ransomware is pushing cybersecurity workers to quit.
R. Scott Raynovich at Forbes for their reporting on At the RSA Conference, Jobs Still Key to The Cybersecurity Crisis.
Jaikumar Vijayan at Dark Reading for their reporting on Atlassian Confluence Server Bug Under Active Attack to Distribute Ransomware.