CategoriesSecurity

New Security Realities of COVID-19 World

This year hackers got a brand new opportunity to get richer based on Covid-19 hype. McAfee detects more and more criminal attempts to exploit current events. This is why organizations and businesses have to be aware and understand what new attack methods are used by cybercriminals in the Covid-19 world.

Phishing letters now became the best tool for cybercriminals. The amount of such content has considerably grown over the past few months. Users get faked letters as if from the World Health Organization about sales of masks and medications, coronavirus tests, and other medical merchandise (subject of such a message would usually be the most relevant for the addressee from a specific region).

Phishing letters either contain links to sites with malicious content or to documents with exploits or malicious macros. The goal of these activities is to get malicious code to the workstation with the purpose of stealing user or payment data. Hackers also try to lure the victim to a faked web resource with such phishing letters.

The criminal website would imitate the appearance of the bank site or payment system where users are offered to enter personal data. Crypto extorter, cyphering the victim PC, deleting shadow file copies, and demanding ransom is one more variant of malicious software. It is well known, that today most attacks are conducted not by humans but by autonomous software solutions, collecting information about victims from different sources and sending phishing letters automatically. Information needed for such attacks is often collected from social networks and other open sources, which demands practically no effort from criminals. For instance, in user files metadata, which is often in open access, there can be found email addresses, IP addresses, OS versions, etc.

This is a very often occasion when hackers use previously stolen user databases to launch attacks. Criminals may deploy any new attack within just several hours, based on social engineering techniques and the emotions of potential victims. The best defense from such an attack is awareness and informing company employees of cybercriminal methods.

Nexoya Technologies will Secure your networks, applications, server, and devices from hackers, and you should be aware of its weaknesses. we provide the necessary level of security to any type of software, application, server, and device. Our penetration tests allow you to find those vulnerabilities before attackers do.
Don’t worry about cybersecurity – deliver these worries to our experts! We offer high-quality penetration testing services for as long as you need.

 

CategoriesConsultancy Cyber Data Security

The Hacker News reported DarkSide Ransomware has Netted Over $90 million in Bitcoin

“In total, just over $90 million in bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets,” blockchain analytics firm Elliptic said. “According to DarkTracer, 2,203 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million.”

Elliptic was first to identify the Bitcoin wallet used by the DarkSide ransomware group to receive a 75 Bitcoin ransom payment from Colonial Pipeline.

Colonial was the victim of a ransomware attack on May 7, 2021, which led to a voluntary shutdown of the main pipeline supplying 45% of fuel to the East Coast of the United States. The attack was described as the worst cyberattack to date on U.S. critical infrastructure.

In this new report, we expand our original analysis to examine all of the wallets used by DarkSide to receive Bitcoin ransoms from victims over the past nine months.

This relies on Elliptic’s sophisticated blockchain analysis platform, combined with open-source intelligence gathered by our team of analysts. To our knowledge, this analysis includes all payments made to DarkSide, however further transactions may yet be uncovered, and the figures here should be considered a lower bound.

Over $90 million extracted from 47 victims

In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets. According to DarkTracer, 99 organisations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom and that the average payment was $1.9 million.

The chart below shows the total value and number of ransom payments made to DarkSide over the past nine months. May was set to be a record month, until DarkSide reportedly shut down its operations on May 13, and its Bitcoin wallet was emptied.

Screenshot 2021-05-18 at 01.07.59

Sharing the spoils

DarkSide is an example of “Ransomware as a Service” (RaaS). In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organization. This new business model has revolutionized ransomware, opening it up to those who do not have the technical capability to create malware but are willing and able to infiltrate a target organization.

Any ransom payment made by a victim is then split between the affiliate and the developer. In the case of DarkSide, the developer reportedly takes 25% for ransoms less than $500,000, but this decreases to 10% for ransoms greater than $5 million. This split of the ransom payment is very clear to see on the blockchain, with the different shares going to separate Bitcoin wallets controlled by the affiliate and developer. In total, the DarkSide developer has received bitcoins worth $15.5 million (17%), with the remaining $74.7 million (83%) going to the various affiliates.

In fact the affiliate’s share of both the Colonial Pipeline and Brenntag ransom payments were sent to the same Bitcoin wallet, suggesting that the same party was responsible for infecting both of these businesses.

Following the money

Using Elliptic’s blockchain analytics we can follow the ransom payments and see where the bitcoins are being spent or exchanged. What we find is that the majority of the funds are being sent to crypto-asset exchanges, where they can be swapped for other crypto assets or fiat currency.

The majority of crypto-asset exchanges comply with anti-money laundering regulations. They verify their customers’ identities and report suspicious activity. They also use blockchain analytics tools such as those offered by Elliptic, to check customer deposits for links to illicit activity such as ransomware.

However some jurisdictions do not enforce these regulations, and it is to exchanges in these locations that much of the DarkSide ransomware proceeds are being sent. Regulated crypto-asset businesses should perform careful due diligence on the virtual asset service providers (VASPs) that they transact with. Elliptic Discovery provides risk profiles of all major global VASPs – enabling you to take a risk-based approach to your crypto counterparties.

 

Disclaimer

This blog is provided for general informational purposes only. By using the blog, you agree that the information on this blog does not constitute legal, financial or any other form of professional advice. No relationship is created with you, nor any duty of care assumed to you, when you use this blog. The blog is not a substitute for obtaining any legal, financial or any other form of professional advice from a suitably qualified and licensed advisor. The information on this blog may be changed without notice and is not guaranteed to be complete, accurate, correct or up-to-date.