Shira Landau@Email Security - Blog
//
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.
Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.
This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.
References :
- Arctic Wolf: Self-Proclaimed “BianLian Group� Uses Physical Mail to Extort Organizations
- CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
- DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
- www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
- PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
- BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
- Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
- gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
- techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
- thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
- Email Security - Blog: The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.
- Threats | CyberScoop: The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.
- gbhackers.com: The novel approach highlights a shift in extortion tactics.
- Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
- Malwarebytes: Ransomware threat mailed in letters to business owners
- www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
- Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
- borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
- Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters
- Kali Linux Tutorials: Cyber Threat Group Sends Paper-Based Extortion Letters
- The DefendOps Diaries: Cybercriminals exploit YouTube's copyright system to extort creators, spreading malware and demanding ransoms.
- www.bleepingcomputer.com: Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos.
Classification:
- HashTags: #Ransomware #Extortion #CyberScam
- Company: FBI
- Target: Corporate executives
- Attacker: BianLian Group
- Feature: Extortion letters
- Type: Extortion
- Severity: Medium
@ofac.treasury.gov
//
North Korean IT workers are increasingly engaging in aggressive extortion tactics against companies that unknowingly hired them. The FBI and Mandiant have issued warnings about these workers, who exploit remote access to steal sensitive data and demand ransom payments. After being discovered, some of these workers hold stolen data and proprietary code hostage, threatening to publicly release it if demands are not met. There have also been reports of workers attempting to steal code repositories, company credentials, and session cookies for further compromise.
This escalation in tactics is attributed to increased law enforcement action, sanctions, and media coverage, which have impacted the success of their schemes. The US Department of Justice has indicted several individuals, including North Korean nationals, for their involvement in elaborate "laptop farm" schemes. These schemes involve using stolen identities, forged documents and remote access software to deceive companies into hiring North Korean IT workers and generating revenue for the DPRK regime. The indicted individuals are accused of generating over $800,000, which was then laundered, highlighting the sophistication and reach of this cybercrime operation.
References :
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- Cyber Security News: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- securityonline.info: North Korean IT Workers Indicted in Elaborate “Laptop Farm� Scheme to Evade Sanctions
- www.justice.gov: This highlights the evolving cybercrime tactics of North Korea
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- cybersecuritynews.com: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- www.bleepingcomputer.com: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them.
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- oodaloop.com: DoJ nabs five suspects in North Korean remote worker scheme
- www.computerworld.com: DOJ indicts North Korean conspirators for remote IT work scheme
- CSO Online: DOJ indicts North Korean conspirators for remote IT work scheme
- : FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- ciso2ciso.com: DOJ indicts North Korean conspirators for remote IT work scheme
- www.the420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- : DOJ indicts North Korean conspirators for remote IT work scheme – Source: www.computerworld.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- ciso2ciso.com: US Charges Five People Over North Korean IT Worker Scheme – Source: www.securityweek.com
- www.helpnetsecurity.com: North Korean IT workers are extorting employers, FBI warns
- The Register: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- The Register - Security: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- ciso2ciso.com: North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud scheme – Source: go.theregister.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- Help Net Security: North Korean IT workers are extorting employers, FBI warns
Classification:
- HashTags: #NorthKorea #CyberExtortion #ITWorkerFraud
- Target: Various Enterprises
- Attacker: North Korea
- Feature: IT Worker Scheme
- Type: Espionage
- Severity: Major
Dhara Shrivastava@cysecurity.news
//
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.
Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.
References :
- : February Sees Record-Breaking Ransomware Attacks, New Data Shows
- The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
- iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data
- securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
- thecyberexpress.com: Ransomware attacks set a single-month record in February that was well above previous highs.
- The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
- blog.knowbe4.com: A new report from Arctic Wolf has found that 96% of attacks now involve data theft as criminals seek to force victims to pay up.
- DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim's network.
Classification:
- HashTags: #Ransomware #CyberAttack #DataExtortion
- Target: Organizations across various sectors
- Attacker: Various groups
- Product: Multiple
- Feature: Data encryption
- Malware: LockBit, CL0P, RansomHub, Akira
- Type: Ransomware
- Severity: Major
|
|
FlagThis - #DataExtortion
