FlagThis - #extortion

PowerSchool, a major education technology vendor, is grappling with the aftermath of a December cyberattack. Despite paying a ransom to the perpetrators in an attempt to prevent the release of stolen data, the hacker is now directly extorting individual school districts. The threat actor is demanding additional ransom payments from these districts, threatening to release sensitive student and teacher data if their demands are not met. This turn of events highlights the challenges and risks associated with paying ransoms in cyber extortion cases, as it does not guarantee the deletion of stolen data.

This situation has prompted a warning from PowerSchool to its customers. The company acknowledges that a threat actor has contacted multiple school districts, attempting to extort them using data from the December 2024 incident. PowerSchool maintains that this is not a new breach, as the data samples match those stolen previously. Law enforcement has been notified and is now involved in the investigation. The incident raises concerns about the ongoing security risks faced by organizations when vendors in their supply chain are targeted by cyberattacks.

PowerSchool provides cloud-based software to K-12 schools and districts, supporting over 60 million students across 18,000 customers in more than 90 countries. The company made the decision to pay the initial ransom because it believed it was in the best interest of its customers and communities. They understood the risks that the bad actors might not delete the data despite assurances. The Toronto District School Board, a PowerSchool customer, voiced doubts about the ransomware crew's deletion of data, emphasizing the ongoing pressure on school officials to prevent data leaks.


References :

• bsky.app: Infosec Exchange Post - PowerSchool's December breach is now extorting schools
• cyberscoop.com: CyberScoop article about PowerSchool customers hit by downstream extortion threats.
• The Register - Security: Details on hacker now extorting school districts after paying ransom to PowerSchool
• The DefendOps Diaries: Report discussing the PowerSchool data breach and its implications.
• BleepingComputer: BleepingComputer article about PowerSchool hacker now extorting individual school districts.
• www.bleepingcomputer.com: BleepingComputer reports on PowerSchool hacker extorting school districts.
• cyberscoop.com: PowerSchool customers hit by downstream extortion threats
• BleepingComputer: PowerSchool hacker now extorting individual school districts
• malware.news: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (2)
• DataBreaches.Net: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
• PCMag UK security: UK PCMag covers PowerSchool attackers extorting teachers.
• go.theregister.com: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied Now individual school districts extorted by fiends
• Metacurity: PowerSchool hackers are extorting schools despite the company's ransom payment
• techcrunch.com: TechCrunch article on PowerSchool being hacked.
• hackread.com: PowerSchool Paid Ransom, Now Hackers Target Teachers for More
• ExpressVPN Blog: Teachers report that bad actors are now targeting them with threatening emails demanding payment following a massive 2024 breach affecting schools across the US and Canada. One of the largest hacks of US schools continues as teachers across the country say that threat actors are extorting them for more money and threatening to release the data.

Classification:

• HashTags: #DataBreach #Extortion #PowerSchool
• Company: PowerSchool
• Target: School districts
• Product: PowerSchool
• Feature: Data Extortion
• Type: Ransomware
• Severity: Major

The Ransomware-as-a-Service (RaaS) group Hunters International has reportedly shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks" on January 1, 2025. This change in tactics signals a new era in cybercrime, driven by the declining profitability of ransomware and increased scrutiny from law enforcement and governments worldwide. Group-IB researchers revealed that the group's senior personnel decided ransomware was becoming too "unpromising, low-converting, and extremely risky," leading to the development of an extortion-only operation.

The group is reportedly leveraging custom-built exfiltration tools to automate data theft from victim networks, enhancing their ability to carry out extortion-only attacks. Cybersecurity researchers have also linked Hunters International to the infamous Hive ransomware group. There are suggestions that they acquired Hive’s source code and operational tools. While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools. The group targets various industries, including healthcare, real estate, and professional services, across North America, Europe, and Asia.


References :

• The DefendOps Diaries: Hunters International's shift to data extortion: a new era in cybercrime.
• BleepingComputer: The Hunters International Ransomware-as-a-Service (RaaS) operation is shutting down and rebranding with plans to switch to date theft and extortion-only attacks.
• Cyber Security News: Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems
• The Register - Security: Crimelords at Hunters International tell lackeys ransomware too 'risky'
• securityboulevard.com: Details of the rebranding and shift in focus to extortion by Hunters International.
• bsky.app: The Hunters International ransomware group is shutting down and rebranding as World Leaks – an extortion-only operation.
• The420.in: The ransomware-as-a-service (RaaS) operation Hunters International has announced a strategic pivot—shutting down its encryption-based ransomware campaigns and rebranding as a new extortion-only group known as “World Leaks.â€

Classification:

• HashTags: #Cybercrime #DataExtortion #Ransomware
• Target: Organizations
• Attacker: Hunters International
• Type: Ransomware
• Severity: Medium

The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.

Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.

This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.


References :

• Arctic Wolf: Self-Proclaimed “BianLian Groupâ€� Uses Physical Mail to Extort Organizations
• CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
• DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
• www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
• PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
• BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
• Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
• gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
• techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
• thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
• Email Security - Blog: The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.
• Threats | CyberScoop: The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.
• gbhackers.com: The novel approach highlights a shift in extortion tactics.
• Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
• Malwarebytes: Ransomware threat mailed in letters to business owners
• www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
• Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
• borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
• Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters
• Kali Linux Tutorials: Cyber Threat Group Sends Paper-Based Extortion Letters
• The DefendOps Diaries: Cybercriminals exploit YouTube's copyright system to extort creators, spreading malware and demanding ransoms.
• www.bleepingcomputer.com: Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos.

Classification:

• HashTags: #Ransomware #Extortion #CyberScam
• Company: FBI
• Target: Corporate executives
• Attacker: BianLian Group
• Feature: Extortion letters
• Type: Extortion
• Severity: Medium