Sergiu Gatlan@BleepingComputer
//
The Ransomware-as-a-Service (RaaS) group Hunters International has reportedly shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks" on January 1, 2025. This change in tactics signals a new era in cybercrime, driven by the declining profitability of ransomware and increased scrutiny from law enforcement and governments worldwide. Group-IB researchers revealed that the group's senior personnel decided ransomware was becoming too "unpromising, low-converting, and extremely risky," leading to the development of an extortion-only operation.
The group is reportedly leveraging custom-built exfiltration tools to automate data theft from victim networks, enhancing their ability to carry out extortion-only attacks. Cybersecurity researchers have also linked Hunters International to the infamous Hive ransomware group. There are suggestions that they acquired Hive’s source code and operational tools. While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools. The group targets various industries, including healthcare, real estate, and professional services, across North America, Europe, and Asia.
Recommended read:
References :
- The DefendOps Diaries: Hunters International's shift to data extortion: a new era in cybercrime.
- BleepingComputer: The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to date theft and extortion-only attacks.
- Cyber Security News: Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems
- The Register - Security: Crimelords at Hunters International tell lackeys ransomware too 'risky'
- securityboulevard.com: Details of the rebranding and shift in focus to extortion by Hunters International.
- bsky.app: The Hunters International ransomware group is shutting down and rebranding as World Leaks – an extortion-only operation.
- The420.in: The ransomware-as-a-service (RaaS) operation Hunters International has announced a strategic pivot—shutting down its encryption-based ransomware campaigns and rebranding as a new extortion-only group known as “World Leaks.â€
Dhara Shrivastava@cysecurity.news
//
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.
Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.
Recommended read:
References :
- cyble.com: February Sees Record-Breaking Ransomware Attacks, New Data Shows
- The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
- iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data
- securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
- thecyberexpress.com: Ransomware attacks set a single-month record in February that was well above previous highs.
- The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
- blog.knowbe4.com: A new report from Arctic Wolf has found that 96% of attacks now involve data theft as criminals seek to force victims to pay up.
- DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim's network.
Shira Landau@Email Security - Blog
//
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.
Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.
This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.
Recommended read:
References :
- Arctic Wolf: Self-Proclaimed “BianLian Group� Uses Physical Mail to Extort Organizations
- CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
- DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
- www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
- PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
- BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
- Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
- gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
- techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
- thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
- Email Security - Blog: The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.
- Threats | CyberScoop: The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.
- gbhackers.com: The novel approach highlights a shift in extortion tactics.
- Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
- Malwarebytes: Ransomware threat mailed in letters to business owners
- www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
- Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
- borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
- Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters
- Kali Linux Tutorials: Cyber Threat Group Sends Paper-Based Extortion Letters
- The DefendOps Diaries: Cybercriminals exploit YouTube's copyright system to extort creators, spreading malware and demanding ransoms.
- www.bleepingcomputer.com: Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos.
@ofac.treasury.gov
//
North Korean IT workers are increasingly engaging in aggressive extortion tactics against companies that unknowingly hired them. The FBI and Mandiant have issued warnings about these workers, who exploit remote access to steal sensitive data and demand ransom payments. After being discovered, some of these workers hold stolen data and proprietary code hostage, threatening to publicly release it if demands are not met. There have also been reports of workers attempting to steal code repositories, company credentials, and session cookies for further compromise.
This escalation in tactics is attributed to increased law enforcement action, sanctions, and media coverage, which have impacted the success of their schemes. The US Department of Justice has indicted several individuals, including North Korean nationals, for their involvement in elaborate "laptop farm" schemes. These schemes involve using stolen identities, forged documents and remote access software to deceive companies into hiring North Korean IT workers and generating revenue for the DPRK regime. The indicted individuals are accused of generating over $800,000, which was then laundered, highlighting the sophistication and reach of this cybercrime operation.
Recommended read:
References :
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- Cyber Security News: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- securityonline.info: North Korean IT Workers Indicted in Elaborate “Laptop Farm� Scheme to Evade Sanctions
- www.justice.gov: This highlights the evolving cybercrime tactics of North Korea
- ciso2ciso.com: North Korean Fake IT Workers More Aggressively Extorting Enterprises
- cybersecuritynews.com: North Korean IT Workers Demands Ransomware By Stealing Companies Source Codes
- www.bleepingcomputer.com: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them.
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- oodaloop.com: DoJ nabs five suspects in North Korean remote worker scheme
- www.computerworld.com: DOJ indicts North Korean conspirators for remote IT work scheme
- www.csoonline.com: DOJ indicts North Korean conspirators for remote IT work scheme
- The420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- ciso2ciso.com: DOJ indicts North Korean conspirators for remote IT work scheme
- www.the420.in: FBI Warns: North Korean Hackers Stealing Source Code to Extort Employers
- Pyrzout :vm:: DOJ indicts North Korean conspirators for remote IT work scheme – Source: www.computerworld.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- ciso2ciso.com: US Charges Five People Over North Korean IT Worker Scheme – Source: www.securityweek.com
- www.helpnetsecurity.com: North Korean IT workers are extorting employers, FBI warns
- The Register: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- The Register - Security: North Korean dev who renamed himself 'Bane' accused of IT worker fraud scheme
- ciso2ciso.com: North Korean dev who renamed himself ‘Bane’ accused of IT worker fraud scheme – Source: go.theregister.com
- Techmeme: The FBI warns that North Korean IT workers are abusing their access to steal source code and extort US companies that have been tricked into hiring them (Sergiu Gatlan/BleepingComputer)
- Help Net Security: North Korean IT workers are extorting employers, FBI warns
|
|
FlagThis - #dataextortion