A Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware groups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail Pavolovich Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies.
Indictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive and LockBit.
The indictments allege that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. Prosecutors say that on May 27, 2022, Matveev conspired with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on April 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in Washington, D.C.
Meanwhile, the U.S. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact financially. Also, the U.S. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev, although he is unlikely to face either as long as he continues to reside in Russia.
In a January 2021 discussion on a top Russian cybercrime forum, Matveev’s alleged alter ego Wazawaka said he had no plans to leave the protection of “Mother Russia,” and that traveling abroad was not an option for him.
“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”
In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. 17, 1992).
A month after that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter a series of bizarre selfie videos in which he lashed out at security journalists and researchers (including this author), while using the same Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance.
“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in one of the videos. “By the way, it is my voice in the background, I just love myself a lot.”
Prosecutors allege Matveev used a dizzying stream of monikers on the cybercrime forums, including “Boriselcin,” a talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.
Previous reporting here revealed that Matveev’s alter egos included “Orange,” the founder of the RAMP ransomware forum. RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.”
As noted in last year’s investigations into Matveev, his alleged cybercriminal handles all were driven by a uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder.
In thread after thread on the crime forum XSS, Matveev’s alleged alias “Uhodiransomwar” could be seen posting download links to databases from companies that have refused to negotiate after five days.
Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces more than 20 years in prison.
Further reading:
Who is the Network Access Broker “Wazawaka?”
The New Jersey indictment against Matveev (PDF)
The indictment from the U.S. attorney’s office in Washington, D.C. (PDF)
Imagine that you want to pull up a certain file on your computer. You click on the file and suddenly a notice flashes on your screen saying your computer is compromised and to get your files back, you need to pay up. This is known as ransomware, a nasty type of malware that is no longer reserved for multimillionaires and corporations. Cybercriminals are holding hostage computer files and sensitive personal documents of ordinary people for their own financial gain.
Here’s everything you need to know about how ransomware makes it on to your devices and seven digital safety habits you can start today to prevent it from happening to you.
Ransomware infects connected devices – smartphones, laptops, tablets, and desktops – when the device owners unknowingly click on links or popups that have malicious software embedded within them.
Phishing attempts are a common vehicle for spreading ransomware. The cybercriminal veils their malicious links in emails, texts, or social media direct messages that urge a quick response and threaten dire consequences. For example, a phisher may impersonate a bank and demand the innocent recipient click on a link to recover a large sum of money. Instead, the link directs not to an official bank website, but to a malware download page. From there, the ransomware software takes hold and allows the cybercriminal to stalk and lock your most important files.
If a cybercriminal reaches out to you and notifies you that they have your files hostage, do not engage with them and never pay the ransom. Even if you do pay the ransom, there’s no guarantee that the criminal will release your files. They’re a criminal after all, and you cannot trust them. Giving in and paying ransoms bolsters the confidence of cybercriminals that their schemes are successful, thus they’ll perpetuate the scam.
Remain calm and immediately disconnect your ransomware-infected device from the Wi-Fi. This will prevent the program from jumping from one device to another device connected to the same network. Then, on another device, visit the No More Ransom Project. This initiative, supported by McAfee, has a repository of advice and code that may rid your device of the malicious program. Additionally, report the event to the Cybersecurity & Infrastructure Security Agency. An agent may be able to help you unlock your device or advise you on how to proceed.
The best way to prepare for ransomware is to prevent it from happening in the first place. These seven online habits are a great way to keep your devices and the valuable personally identifiable information they store from falling into the hands of cybercriminals.
A cybercriminal has no leverage if your device doesn’t house anything of value. Back up your most important files every few months, either to the cloud or save them onto a hard drive. This way, if you do get a ransomware infection, you can wipe your device and reinstall your files from the backup. Backups protect your data, and you won’t be tempted to reward the malware authors by paying a ransom.
When updating your credentials, you should always ensure that your password is strong and unique. It’s dangerous to reuse the same password across accounts because all it takes to put your accounts at risk is for one data breach to leak your password onto the dark web. It’s nearly impossible to memorize all your different password and username combinations, so entrust a password manager to store them for you.
Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification to enter an online account. For instance, you’ll be asked to verify your identity through a one-time code sent to a cellphone or to answer a security question in tandem with a correct password. This additional step in the login process deters ransomware plots because if you store your important documents behind a multi-factor authentication-protected cloud program, the criminal has nothing of value to hold hostage.
Don’t click on links or respond to emails, social media direct messages, and texts from people you don’t know. This is important since phishers often trick people into downloading malware and ransomware software through disguised links.
Using a security extension on your web browser is one way to browse more safely. McAfee WebAdvisor, for instance, alerts you when you’ve ventured onto risky sites that could harbor malware. Websites that claim to have free TV shows, movies, and software are among the riskiest.
Public Wi-Fi networks – like those at libraries, coffee shops, hotels, and airports – are often not secure. Since anyone can log on, you can’t always trust that everyone on the network has good intentions. Cybercriminals often hop on public networks and digitally eavesdrop on the devices connected to it. So, you can either avoid public Wi-Fi altogether and only access the internet through 5G, or you can enable a virtual private network. A VPN is a truly private network that encrypts your internet traffic, making you completely anonymous online.
Don’t ignore your devices’ notifications to update your software. Keeping your software up to date is an excellent way to deter cybercriminals from forcing their way onto your device. Software updates usually include critical security patches that close any holes that a ransomware plot could squeeze through.
To boost your peace of mind, opt for an extra layer of security with a solution like McAfee+ Ultimate, which includes up to $25,000 in ransomware coverage. McAfee+ Ultimate also includes a VPN, password manager, and safe browsing extension to keep your online comings and goings private.
The post 7 Tips to Protect Your Devices and Private Information from Ransomware appeared first on McAfee Blog.
Ransomware. Even the name sounds scary.
When you get down to it, ransomware is one of the nastiest attacks a hacker can wage. They target some of our most important and precious things—our files, our photos, and our information stored on our devices. Think about suddenly losing access to all of them and being forced to pay a ransom to get access back. Worse yet, paying the ransom is no guarantee the hacker will return them.
That’s what a ransomware attack does. Broadly speaking, it’s a type of malware that infects a network or a device and then typically encrypts the files, data, and apps stored on it, digitally scrambling them so the proper owners can’t access them. Only a digital key can unlock them—one that the hacker holds.
Nasty for sure, yet you can take several steps that can greatly reduce the risk of it happening to you. Our recently published Ransomware Security Guide breaks them down for you, and in this blog we’ll look at a few reasons why ransomware protection is so vital.
The short answer is pretty bad—to the tune of billions of dollars stolen from victims each year. Ransomware targets people and their families just as explained above. Yet it also targets large organizations, governments, and even companies that run critical stretches of energy infrastructure and the food supply chain. Accordingly, the ransom amounts for these victims climb into the millions of dollars.
A few recent cases of large-scale ransomware attacks include:
Who’s behind such attacks? Given the scope and scale of them, it’s often organized hacking groups. Put simply, these are big heists. It demands expertise to pull them off, not to mention further expertise to transfer large sums of cryptocurrency in ways that cover the hackers’ tracks.
As for ransomware attacks on people and their families, the individual dollar amounts of an attack are far lower, typically in the hundreds of dollars. Again, the culprits behind them may be large hacking groups that cast a wider net for individual victims, where hundreds of successful attacks at hundreds of dollars each quickly add up. One example: a hacker group that posed as a government agency and as a major retailer, which mailed out thousands of USB drives infected with malware.
Other ransomware hackers who target people and families are far less sophisticated. Small-time hackers and hacking groups can find the tools they need to conduct such attacks by shopping on the dark web, where ransomware is available for sale or for lease as a service (Ransomware as a Service, or RaaS). In effect, near-amateur hackers can grab a ready-to-deploy attack right off the shelf.
Taken together, hackers will level a ransomware attack at practically anyone or any organization—making it everyone’s concern.
Hackers have several ways of getting ransomware onto one of your devices. Like any other type of malware, it can infect your device via a phishing link or a bogus attachment. It can also end up there by downloading apps from questionable app stores, with a stolen or hacked password, or through an outdated device or network router with poor security measures in place. And as mentioned above, infected storage devices provide another avenue.
Social engineering attacks enter the mix as well, where the hacker poses as someone the victim knows and gets the victim to either download malware or provide the hacker access to an otherwise password-protected device, app, or network.
And yes, ransomware can end up on smartphones as well.
Smartphone ransomware can encrypt files, photos, and the like on a smartphone, just as it can on computers and networks. Yet other forms of mobile ransomware don’t have to encrypt data to make the phone unusable. The “Lockerpin” ransomware that has struck some Android devices in the past would change the PIN number that locked the phone. Other forms of lock screen ransomware would simply paste a warning over the home screen with a “pay up, or else” message.
Still, ransomware isn’t as prevalent on smartphones as it is on computers, and there are several reasons why. For the most part, smartphone ransomware relies on people downloading malicious apps from app stores. Both Google Play and Apple’s App Store both do their part to keep their virtual shelves free of malware-laden apps with a thorough submission process, as reported by Google and Apple.
Yet, bad actors find ways to sneak malware into the stores. Sometimes they upload an app that’s initially clean and then push the malware to users as part of an update. Other times, they’ll embed the malicious code so that it only triggers once it’s run in certain countries. They will also encrypt malicious code in the app that they submit, which can make it difficult for reviewers to sniff out.
Further, Android allows users to download apps from third-party app stores that may or may not have a thorough app submission process in place, which can make them more susceptible to hosting malicious apps. Moreover, some third-party app stores are actually fronts for organized cybercrime gangs, built specifically to distribute malware.
The people behind these attacks play on one of your greatest fears—that those important and precious things on your device might be gone forever. Yet with a backup, you have little to fear. You can simply restore any data and files that may have come under attack. Consider using a reputable cloud storage service that you protect with a strong, unique password. Similarly, you can back up your data locally on an external drive that you keep disconnected from your network and stored in a secure location. So while a backup won’t prevent an attack, it can most certainly minimize any threat or damage from one.
Ransomware attackers use phishing emails, bogus direct messages in social media, and texts to help install malware on your device. Many of these messages can look quite legitimate, like they’re coming from a brand you know, a financial institution, or even the government. The links embedded in those messages will take you to some form of malicious website where you’re prompted to download a phony file or form—which is actually malware. Similarly, some phishing emails will simply send malware to the recipient in the form of a malicious attachment that masquerades as a legitimate document like an invoice, spreadsheet, or shipping notice.
This provides your first line of defense. Online protection software includes several features that can stop a ransomware attack before it takes root:
That list is just for starters. Our Ransomware Security Guide goes even deeper on the topic.
It gets into the details of what ransomware looks like and how it works, followed by the straightforward things you can do to prevent it, along with the steps to take if the unfortunate ends up happening to you or someone you know.
Ransomware is one of the nastiest attacks going, because it targets our files, photos, and information, things we don’t know where we’d be without. Yet it’s good to know you can indeed lower your risk with a few relatively steps. Once you have them in place, chances are a good feeling will come over you, the one that comes with knowing you’ve protected what’s precious and important to you.
The post How To Prevent Ransomware appeared first on McAfee Blog.
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.
Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6. If you use Apple devices and you don’t have automatic updates enabled (they are on by default), you should probably take care of that soon as detailed instructions on how to attack CVE-2023-28206 are now public.
Microsoft’s bevy of 100 security updates released today include CVE-2023-28252, which is a weakness in Windows that Redmond says is under active attack. The vulnerability is in the Windows Common Log System File System (CLFS) driver, a core Windows component that was the source of attacks targeting a different zero-day vulnerability in February 2023.
“If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago,” said Dustin Childs at the Trend Micro Zero Day Initiative. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware.”
According to the security firm Qualys, this vulnerability has been leveraged by cyber criminals to deploy Nokoyawa ransomware.
“This is a relatively new strain for which there is some open source intel to suggest that it is possibly related to Hive ransomware – one of the most notable ransomware families of 2021 and linked to breaches of over 300+ organizations in a matter of just a few months,” said Bharat Jogi, director of vulnerability and threat research at Qualys.
Jogi said while it is still unclear which exact threat actor is targeting CVE-2023-28252, targets have been observed in South and North America, regions across Asia and at organizations in the Middle East.
Satnam Narang at Tenable notes that CVE-2023-28252 is also the second CLFS zero-day disclosed to Microsoft by researchers from Mandiant and DBAPPSecurity (CVE-2022-37969), though it is unclear if both of these discoveries are related to the same attacker.
Seven of the 100 vulnerabilities Microsoft fixed today are rated “Critical,” meaning they can be used to install malicious code with no help from the user. Ninety of the flaws earned Redmond’s slightly less-dire “Important” label, which refers to weaknesses that can be used to undermine the security of the system but which may require some amount of user interaction.
Narang said Microsoft has rated nearly 90% of this month’s vulnerabilities as “Exploitation Less Likely,” while just 9.3% of flaws were rated as “Exploitation More Likely.” Kevin Breen at Immersive Labs zeroed in on several notable flaws in that 9.3%, including CVE-2023-28231, a remote code execution vulnerability in a core Windows network process (DHCP) with a CVSS score of 8.8.
“‘Exploitation more likely’ means it’s not being actively exploited but adversaries may look to try and weaponize this one,” Breen said. “Micorosft does note that successful exploitation requires an attacker to have already gained initial access to the network. This could be via social engineering, spear phishing attacks, or exploitation of other services.”
Breen also called attention to CVE-2023-28220 and CVE-2023-28219 — a pair of remote code execution vulnerabilities affecting Windows Remote Access Servers (RAS) that also earned Microsoft’s “exploitation more likely” label.
“An attacker can exploit this vulnerability by sending a specially crafted connection request to a RAS server, which could lead to remote code execution,” Breen said. While not standard in all organizations, RAS servers typically have direct access from the Internet where most users and services are connected. This makes it extremely enticing for attackers as they don’t need to socially engineer their way into an organization. They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”
For more details on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
s3-ep124-auth--1200