Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

January 2024

Ransomware Payments On The Decline As Cyber Attackers Focus on The Smallest, And Largest, Organizations

New data for Q4 of 2023 reveals a sizable shift in the cyber threat landscape, with serious implications regarding ransomware and social engineering attacks targeting both the largest and smallest organizations worldwide. The good news is that ransoms continue to decline – according to the most recent Quarterly Ransomware Report from ransomware response vendor Coveware.

DarkGate malware delivered via Microsoft Teams - detection and response

While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. Most Teams activity is intra-organizational, but Microsoft enables External Access by default, which allows members of one organization to add users outside the organization to their Teams chats.

Ransomware's PLAYing a Broken Game

The Play ransomware group is one of the most successful ransomware syndicates today. All it takes is a quick peek with a disassembler to know why this group has become infamous. This is because reverse engineering the malware would be a Sisyphean task full of anti-analysis techniques. That said, it might come as a surprise that the malware crashes quite frequently when running.

The Percentage of Organizations Globally Struck by Ransomware Hits an All-Time High

Check Point’s review of ransomware shows that the percent of organizations worldwide hit by this greatest of cyberthreats rose by a whopping 33% in 2023. In 2022, 1 in 13 organizations globally had been the victim of a ransomware attack. According to the latest Check Point Research, that ratio worsened to just 1 in 10 in 2023. That represents 60,000 attempted attacks per organization throughout the year.

Malvertising Targets Chinese-Speaking Users

Researchers at Malwarebytes warn that a malvertising campaign is targeting Chinese-speaking users with phony ads for encrypted messaging apps. The ads impersonate apps that are restricted in China, such as Telegram or LINE. “The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead,” Malwarebytes says.

Transforming and Securing Healthcare with Rubrik

With the digitalization of patient data, the healthcare industry has significantly improved and transformed healthcare processes. This shift to digital data has brought many benefits, like improved quality of care, reduction in errors, and improved communication. However, the shift to digitalization has also led to the exponential collection of data, which is primarily unstructured. To put things in perspective, a typical healthcare and life sciences organization manages over 32.6 million sensitive files.

Meet AZORult Stealer: High Risk, Open Source & Evolving

AZORult stealer was first discovered in 2016 and is regarded as a high-risk Trojan-type virus created to collect private data. Over time,the AZORult stealer evolved into a free, open-source program. We discovered advertising with instructions for installing the stealer in “TheJavaSea” and “Nulled” within the prominent Darknet forums. AZORult, one of the most dominant stealers, has taken the place of honor among the top 5 stealers worldwide in the last couple of years.

Rubrik Celebrates a Major Milestone, and So Do I

A pair of round number milestones has made me deeply reflective about my life and that of Rubrik. In October, I turned 50. And ten years ago today, my Co-Founders and I started Rubrik. I want to talk more about the second landmark first because it’s not just a personal watershed but a notable one as well for our customers, partners, colleagues, and investors. Let me take you back to Monday, January 27, 2014, which seems like yesterday and long ago at the same time.

The dark side of 2023 Cybersecurity: Malware evolution and Cyber threats

In the ever-evolving cybersecurity landscape, 2023 witnessed a dramatic surge in the sophistication of cyber threats and malware. AT&T Cybersecurity Alien Labs reviewed the big events of 2023 and how malware morphed this year to try new ways to breach and wreak havoc. This year's events kept cybersecurity experts on their toes, from expanding malware variants to introducing new threat actors and attack techniques.

NCSC Warns That AI is Already Being Used by Ransomware Gangs

In a newly published report, the UK's National Cyber Security Centre (NCSC) has warned that malicious attackers are already taking advantage of artificial intelligence and that the volume and impact of threats - including ransomware - will increase in the next two years. The NCSC, which is part of GCHQ - the UK's intelligence, security and cyber agency, assesses that AI has enabled relatively unskilled hackers to "carry out more effective access and information gathering operations...

The Number of Ransomware Attack Victims Surge in 2023 to over 4000

The surge in Ransomware-as-a-Service affiliates is likely the reason behind the dramatic increase in the number of victimized organizations, with all indicators suggesting that this trend will persist into 2024. I love it when vendors put out a yearly summary, and do it in the first month of the next year! The data is relevant and helps paint a picture of what the industry should expect in the near future. In Cyberint’s 2023 Ransomware Recap report, we find that ransomware had quite the year.

Underground Alliances: State-Sponsored Hacking & Ransomware Realities Unveiled | Razorthorn Security

Uncover the covert world of state-sponsored hacking in our latest video. Explore how decent hacking groups showcase their skills, often in the realm of ransomware, to secure sponsorships through discreet back channels. These partnerships, sometimes with organizations linked to government-affiliated entities, provide the green light to target perceived adversaries. Has the spotlight dimmed on these activities? Quite the contrary – it's expanding.

Akira Ransomware-as-a-Service (RaaS) targeting Swedish organizations

Recent ransomware attacks on European organizations have attracted significant attention, primarily due to the involvement of threat actors with Russian connections or origins. Of particular concern is the latest attack on an IT service provider, which has had a profound impact on Swedish companies, government agencies, and municipalities.

Twelve Common Types of Malware

Malware is malicious software that cybercriminals use to infect a victim’s device. Cybercriminals use malware to gain control of the device, damage it or steal sensitive information. They use different types of malware to infect and exploit a user’s device. Some common types of malware include ransomware, Trojans, spyware and keyloggers. Continue reading to learn more about these types of malware, how they get delivered and how to stay protected from them.

13 Types of Malware Attacks - and How You Can Defend Against Them

If a malware attack is successful, it can result in lost revenue, unexpected down time, stolen data, and more costly consequences. With over 450,000 new malicious programs registered each day by independent IT security institute AV-Test, malware may be the biggest threat to your organization. There are many different types of malware and attackers are continually innovating more complex, harder-to-detect versions. Now is the time to take proactive steps to protect your organization.

The rise of ransomware: Strategies for prevention

The exponential rise of ransomware attacks in recent times has become a critical concern for organizations across various industries. Ransomware, a malicious software that encrypts data and demands a ransom for its release, can wreak havoc on an organization's operations, finances, and reputation. This comprehensive guide delves into the intricate landscape of ransomware, exploring sophisticated attack vectors, common vulnerabilities, and providing detailed strategies for prevention.

2023 Global Threat Roundup: Trends in Cyberattacks, Exploits and Malware

Our inaugural 2022 threat roundup report started by observing that “the year 2022 was eventful for cybersecurity.” As you can imagine, 2023 was no less eventful. Some of the key events included ongoing conflicts and the appearance of new ones, the emergence of critical vulnerabilities being mass exploited and the ever-increasing threat of cybercrime.

CherryLoader: A New Go-based Loader Discovered in Recent Intrusions

Arctic Wolf Labs has been tracking two recent intrusions where threat actors leveraged a new Go-based malware downloader we are calling “CherryLoader” that allowed them to swap exploits without recompiling code. The loader’s icon and name masqueraded as the legitimate CherryTree note taking application to trick the victims.

Navigating the threat landscape of LockBit

Imagine a virtual phantom slipping through digital shadows, silently locking away data, and leaving a haunting message demanding a ransom. That is LockBit ransomware, the stealthy troublemaker in the world of cybersecurity. In this blog, let’s unpack the mysteries of LockBit: how it sneaks in and wreaks havoc and why businesses should be on high alert.

The 443 Podcast - Episode 276 - Androxgh0st Analysis

This week on the podcast, we review a CISA and FBI joint advisory on the Androxgh0st malware. Before that we cover recent Volt Typhoon activity targeting SMB routers exposed on the internet. We end the episode with a fun research blog post about a series of flaws in an Indian insurance provider. The 443 Security Simplified is a weekly podcast that gets inside the minds of leading white-hat hackers and security researchers, covering the latest cybersecurity headlines and trends.

Ransomware-as-a-Service Will Continue to Grow in 2024

Ransomware-as-a-service (RaaS) may not be a brand-new tactic on the cyber battlefield, but it’s quickly gaining popularity among threat actors. For at least the past five years, cybercriminals have not only realized the monetary effectiveness of ransomware, but have understood that by banding together, and utilizing each other’s strengths, they could expand their ransomware attacks, split the profits, and utilize stolen data to launch future cyber attacks on larger organizations.

How to Conduct a Diary Study to Uncover User Needs with Rubrik User Researcher Jenny Li

How well would you say you know your users? Are you a designer, product manager, startup founder or anyone looking to better understand the needs of their target audience and wondering whether a diary study is the right methodology for your discovery research project? Look no more! Jenny Li's talk will help you understand how to conduct a diary study, what you need to plan for, and what you'll get out of it.

Cybersecurity Trends for 2024: What's In & What's Out

Dissecting the cybersecurity landscape isn’t easy. Organizations are perennially under-prepared. Seemingly every person in the world has been affected by some company’s data breach. Then, we layer in the biggest tech news of 2023: the widespread experimentation and use of generative AI. Today, no one is immune from the threat of an attacker. Each organization must be ready. Organizations of all sizes must understand the evolving cybersecurity landscape in order to defend themselves.

Open the DARKGATE - Brute Forcing DARKGATE Encodings

DARKGATE is Windows-based malware that is sold on the dark web. DARKGATE is a fully functional backdoor that can steal browser information, drop additional payloads, and steal keystrokes. Kroll previously noted DARKGATE’s distribution via Teams. When the DARKGATE payload runs on a victim system, it creates a randomly named folder within C:\ProgramData that contains encoded files. Within the randomly named folder is a short configuration file and the output of keystrokes logged on the system.

'Swatting' Becomes the Latest Extortion Tactic in Ransomware Attacks

Rather than stick to traditional ransomware extortion methods that revolve around the attack itself, a new form of extortion known as Swatting puts the focus on the victim organization’s customers. A somewhat unexpected mode of extortion appears to be popping up in attacks targeting medical institutions. According to Dark Reading, cybercriminals are making repeat prank calls to police about individuals that are patients impacted by a data breach of a medical facility they are a customer of.

Rubrik Security Cloud-Government is StateRAMP Certified

Here at Rubrik, few things excite us more than knowing that the work we do enables a smoother functioning of our governments. Government organizations have an important duty to defend our nation’s critical institutions and essential infrastructure against threat actors—while operating with limited budgets and limited resources. Rubrik has a long history of securing public sector institutions. We have relentlessly focused on developing products that ensure rapid and confident cyber recovery.

Enter The Gates: An Analysis of the DarkGate AutoIt Loader

AutoIt is a scripting language designed for automating the Windows GUI and general scripting. Over the years, it has been utilized for malicious purposes, including AutoIt-compiled malware, which dates back to as early as 2008. Malware creators have exploited the versatility of AutoIT in a variety of ways, such as using obfuscated scripts for payload decryption, utilizing legitimate tools like BaSupportVNC, and even creating worms capable of spreading through removable media and Windows shares.

Androxgh0st Malware: SafeBreach Coverage for US-CERT Alert (AA24-016A)

On January 16th, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory to highlight the ongoing malicious activities by threat actors deploying the Androxgh0st Malware. Detailed information about these activities and the associated indicators of compromise (IOCs) and the various tactics, techniques, and procedures (TTPs) is listed in Known Indicators of Compromise Associated with Androxgh0st Malware.

Malware vs Virus: What's the Difference?

The main difference between malware and viruses is that malware is an umbrella term used to describe all types of malicious software, whereas viruses are a specific type of malware. In other words, all viruses are malware but not all types of malware are viruses. Continue reading to learn what malware is, what a virus is, the key differences between the two and how you can protect yourself against all types of malware, including viruses.

Are They Really Playing? Get to Know Play Ransomware

Play is a recent entrant into the realm of ransomware, with its initial appearance being identified in June 2022. In this context, “Play” encompasses both the entity responsible for its development and distribution, as well as the name of the executable used for the ransomware. Following a pattern observed among numerous actors in this domain, Play has embraced the strategy of double extortion.

Blink-and-Update: All About Rhadamanthys Stealer

Rhadamanthys, an info stealer, written in C++, was first seen on August 22, 2022. This stealer, still gets updates and patched regularly. Version 0.5.0 shifted towards a more customizable framework allowing threat actors to counter security measures and exploit vulnerabilities by deploying targeted plugins, such as ‘Data Spy,’ which monitors RDP logins.

Stories from the SOC: BlackCat on the prowl

BlackCat is and has been one of the more prolific malware strains in recent years. Believed to be the successor of REvil, which has links to operators in Russia, it first was observed in the wild back in 2021, according to researchers. BlackCat is written in the Rust language, which offers better performance and efficiencies than other languages previously used. BlackCat is indiscriminate in how it targets its victims, which range from healthcare to entertainment industries.

Ransomware & Extortionware in 2024: Stats & Trends

In the underground cybercrime circles of the Dark Web, ransomware attacks are a particularly lucrative enterprise. These attacks are on the rise. And they’re disrupting the stalwart IT industry. The average cost of a ransom attack in 2023 was $1.54 million, almost double the previous year’s average. And research we gathered for The CISO Report show that 83% of organizations hit by a ransomware attack paid their attackers. Curious which industry is most likely to pay the ransom? Retail.

How Generative AI Will Accelerate Cybersecurity with Sherrod DeGrippo

In this episode of Cyber Security Decoded, host Steve Stone, Head of Rubrik Zero Labs, is joined by Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft to discuss the cyber threat landscape. In this episode, you'll hear insights on: Rubrik Zero Labs' “The State of Data Security: The Journey to Secure an Uncertain Future" report provides a timely view into the increasingly commonplace problem of cyber risks and the challenge to secure data across an organization’s expanding surface area.

Data Insights on AgentTesla and OriginLogger Victims

AgentTesla is a Windows malware written in.NET, designed to steal sensitive information from the victim's system. It’s considered commodity malware given its accessibility and relatively low cost. Commodity malware poses a significant threat as it enables less sophisticated cybercriminals to conduct various types of cyberattacks without requiring extensive technical knowledge. AgentTesla has been a persistent and widespread threat since its emergence in 2014.

FBI Releases Blackcat Ransomware Decryption Tool to Victims, Disrupting Attacks

For the first time ever, the U.S. Justice Department announced the existence of an FBI-developed decryption tool that has been used to save hundreds of victim organizations attacked by one of the most prolific ransomware variants in the world. In an announcement made last month, the Justice Department made the world aware of the existence of a decryption tool to be used by those organizations hit by Blackcat – also known as ALPHV or Noberus.

AsyncRAT loader: Obfuscation, DGAs, decoys and Govno

AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent in their intentions.

Black Basta Ransomware Decryptor Released to Help Some Victims

A flaw found by security researchers in the encryption software allows victim organizations to use “Black Basta Buster” to recover some of their data – but there’s a catch. We’ve all heard – for as long as ransomware attacks have been happening, you either need to pay the ransom or recover from backups. But a third option has now sprouted up on GitHub.

Microsoft Turns Off a Significant Windows App Install Mechanism Known for Spreading Malware

This mechanism is intended to simplify installing Windows apps after cybercriminals started using it to spread malware loaders that resulted in ransomware and backdoor outbreaks. The feature in question is called the ms-appinstaller consistent resource identifier plan, and its initial purpose was to make deploying Windows programs to devices simpler.

Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware

Arctic Wolf Labs is aware of several instances of ransomware cases where the victim organizations were contacted after the original compromise for additional extortion attempts. In two cases investigated by Arctic Wolf Labs, threat actors spun a narrative of trying to help victim organizations, offering to hack into the server infrastructure of the original ransomware groups involved to.

Lockbit 3.0 Ransomware Disrupts Emergency Care at Multiple German Hospitals

Hitting three hospitals within a Germany-based hospital network, the extent of the damage in this confirmed ransomware attack remains undetermined but has stopped parts of operations. It appears that affiliates of ransomware gangs have forgotten the golden rule – you don’t hit hospitals. It’s one thing to disrupt operations at a regular brick and mortar business. But hitting a business where someone’s life could be literally placed in jeopardy because a system is unavailable?

Computer Worm vs Virus: What's the Difference?

The main differences between a worm and a virus are how they spread and how they are activated. Worms spread automatically to devices through a network by self-replicating, whereas viruses spread by attaching themselves to files or programs. Worms don’t need human interaction to activate and infect a device, whereas viruses do. Continue reading to learn more key differences between worms and viruses and how to keep your devices and data safe from both types of malware.

Boston-Based Community College, Bunker Hill, Updates on 2023 Ransomware Event

Bunker Hill Community College (BHCC) serves a population of about 13,000 across two campuses and dispersed locations. BHCC offers over 100 degrees, including arts, sciences, business, health, law, and STEM opportunities. In May 2023, BHCC experienced a ransomware event—officials responded by taking their systems offline—but the threat was successful nonetheless. The assailants stole an estimated 195,588 records in their attack.