Mitchell Hanson/500px/500px Prime via Getty Images Follow ZDNET: Add us as a preferred source<!–> on Google. ZDNET’s key takeaways SLES 16 comes with model context protocol built in. The new enterprise distro is digital sovereignty-ready. This impressive upgrade introduces many changes and new features. Lots of companies are announcing AI this and AI that, but few of […] More

The Ukrainian National Police announced a series of raids on Wednesday that ended with the arrest of six people allegedly part of the group behind the Clop ransomware. The group is responsible for some of the most headline-grabbing ransomware attacks seen over the last two years, with hundreds of victims ranging from Shell and Kroger to Stanford University, the University of Maryland, and the University of Colorado. Ukrainian police said the total damage done by their attacks amounts to an estimated $500 million.The Cyberpolice Department of the Ukrainian National Police released a lengthy report Wednesday morning on the raids that included photos and video. Working with South Korean police officers, members of Interpol and unnamed US agencies, officers in Ukraine raided 21 different residences in Kyiv and nearby towns.During the raid, dozens of computers and expensive cars were seized in addition to about $185,000. The report said server infrastructure was taken down and the homes were seized. The six people arrested are facing up to eight years in prison for a variety of crimes related to the group’s ransomware attacks and the laundering of money brought in from ransoms. 
Ukranian National Police
The Ukranian National Police noted that South Korean officials were particularly interested in the raid because of ransomware attacks launched by Clop against four South Korean companies in 2019. More than 800 internal servers and computers from the companies were infected in the attacks.The group also attacked South Korean e-commerce giant E-Land in November, crippling the company for days. Clop members became well-known for attacking companies using old versions of the Accellion FTA file-sharing server like Bombardier. The Reserve Bank of New Zealand, Washington State Auditor, and cybersecurity firm Qualys are just a few of the victims attacked by Clop members through the Accellion vulnerability.

Kim Bromley, senior cyber threat intelligence analyst at Digital Shadows, said the Clop ransomware has been active since February 2019 and generally targets large organizations. “Despite partaking in the ever-popular double-extortion tactic, Clop’s reported activity level is relatively low when compared with the likes of ‘REvil’ (aka Sodinokibi) or ‘Conti,'” Bromley explained.In spite of the press around the raid, many online noted that the leak site used by Clop members is still up. A source from cybersecurity company Intel 471 threw cold water on the excitement around the raid in an interview with Bleeping Computer. They told the news outlet that they do not think any of the major players behind Clop were arrested in the raid because they live in Russia. They added that the people arrested were mostly involved in the money laundering part of the ransomware operation.  Clop rose to prominence in 2020 after they demanded a ransom of more than $20 million from Software AG, one of the largest software companies in the world. Multiple cybersecurity companies have reported that Clop has ties to a malware distribution group named TA505 and a cybercrime group known as FIN11.Ransomware groups are facing increased scrutiny from law enforcement globally as hundreds of organizations continue to deal with the crippling aftereffects of attacks. Bromley noted that last week, the Avaddon ransomware shut down its operations and the Ziggy ransomware did the same earlier this year, signaling that the increasing law enforcement pressure was having an effect. “Arrests and operations targeting ransomware infrastructure must continue in the short term, in order to maintain pressure on ransomware operators,” Bromley added.  Vectra CTO Oliver Tavakoli, said raids like this are one of the key levers that can be used to shrink the lucrative ransomware ecosystem. “When the likelihood of repercussions rise, less people will be drawn into the business of ransomware,” Tavakoli said. “When periodic disruptions occur in the supply chain of ransomware and sometimes ransoms are reclaimed (as the FBI recently did with some of the Colonial Pipeline ransom payments), the business of ransomware itself becomes less lucrative and less people are drawn into it.”Other experts noted the timing of the raid, which came on the same day as the summit between US President Joe Biden and Russian President Vladimir Putin. Ransomware was a significant topic of discussion, Biden said after the meeting. “This is a bold move, especially given Ukraine’s tensions with Russia. It would be better to see comprehensive global law enforcement efforts take hold,” said Hitesh Sheth, CEO at Vectra. “Cybersecurity has displaced nuclear arms as the premier superpower security issue of our era. We can hope the Biden-Putin summit leads to cooperation and structural progress in this area.” More

Matt Damon
Image: Crypto.com
Cryto.com CEO Kris Marszalek told Bloomberg on Wednesday that the attack earlier this week hit 400 users. For what Marszalek said was a period of 13 to 14 hours, Crypto.com paused its users’ ability to withdraw funds and subsequently asked its users to reset two-factor authentication. The company informed its users they would need to sign back into their accounts and reset their two-factor authentication. Marszalek said Crypto.com’s 200 security professionals had created a “very robust” infrastructure and stated it had defence-in-depth. “There are multiple layers, and in this particular incident, some of these layers were breached,” he said. “Which resulted in about 400 accounts having unauthorised transactions.” Marszalek added the impacted users had their funds fully reimbursed on the same day, and while he would not be drawn to put a figure on the amount of funds taken, he said the company was working on a postmortem that would appear on its blog in the next few days.

“In any case, one has to remember that given the scale of the business, these numbers are not particularly material.” While Marszalek did not put a number on it, PeckShield did, claiming around $15 million was being washed through a coin tumbler. The CEO also said in other sections of the interview that he expected increasing use cases, such as blockchain gaming, to increase the number of cryptocurrency users to over one billion this year. He added the company was looking at potentially purchasing blockchain gaming companies. Related Coverage More

Researchers have exposed the inner workings of Wizard Spider, a hacking group that pours its illicit proceeds back into the criminal enterprise.

On Wednesday, PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.According to the cybersecurity firm, Wizard Spider, likely Russian in origin, runs an infrastructure made up of a “complex set of sub-teams and groups, [..] has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo.” Today’s more sophisticated cybercriminal operations, whether purely for profit or working for state interests — as with many advanced persistent threat (APT) groups — often operate business-style models. This includes hiring top talent and creating a financial framework to deposit, transfer, and launder proceeds. In Wizard Spider’s case, this also means pouring some of its profits back into development with investments in tools and software, and paying for new hires. The report suggests that the group commands “hundreds of millions of dollars in assets.” “The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives,” the researchers say. “Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.” PRODAFT says that Wizard Spider focuses on compromising enterprise networks and “has a significant presence in almost every developed country in the world, and many emerging economies as well.” Victims have included defense contractors, enterprise firms, supply chain vendors, hospitals, and critical utility providers. Wizard Spider’s attacks tend to start through spam and phishing using QBot and the SystemBC proxy. The group may also infiltrate businesses through compromised email threads between employees in Business Email Compromise (BEC) schemes. Once there’s a crack in the door, the group will deploy Cobalt Strike and will attempt to grab domain administrator privileges. The Conti ransomware strain is deployed, machines and hypervisor servers are encrypted, and a ransomware demand is made. Victims are managed through a locker control panel.
PRODAFT
Wizard Spider also uses virtual private networks (VPNs) and proxies to hide their tracks. However, the group has also invested in some unusual tools, including VoIP systems and employees tasked with cold-calling individuals and scaring them into paying up after a security incident.This is a tactic employed in the past by a handful of other ransomware groups including Sekhmet, Maze, and Ryuk. Coveware suspects that this kind of ‘call center’ work may be outsourced by cybercriminals, as the templates and scripts used are often “basically the same.”Another tool of note is the Wizard Spider cracking station. This custom kit stores cracked hashes and runs crackers to try and secure domain credentials and other forms of common hashes. The station also updates the team on cracking status. As of now, there are 32 active users. Several intrusion servers were also discovered containing a cache of tactics, techniques, exploits, cryptocurrency wallet information, and encrypted .ZIP files containing notes made and shared by attack teams. “The Wizard Spider team has shown itself capable of monetizing multiple aspects of its operations,” PRODAFT says. “It is responsible for an enormous quantity of spam on hundreds of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Kerry Wan/ZDNETA new security feature from Google means that Android devices might soon start rebooting automatically — and that’s not a bad thing. In a recent Google Play Services update, Google details how your Android phone will soon reboot if you haven’t used it for three consecutive days. How reboots helpThis is important for two reasons. The first is because, to open a phone after a reboot, you must enter a PIN — no biometrics or other method of unlocking. PIN-only access means the phone, and the data on it, is harder to access for anyone with bad intentions. If you’re one of the people using a phone without any sort of unlock protection, this is a significant layer of security.Also: Why rebooting your phone daily is your best defense against zero-click attacksThe second reason is a little more technical, but just as important. Mobile phones have two lock states: Before first lock (BFU) and after first lock (AFU). In BFU, information and files on a phone are securely encrypted and completely inaccessible, even with complex extraction programs. This also means that authorities who have seized a phone as evidence, such as local law enforcement or the FBI, will have a shorter window of time to access the device before it becomes much more difficult.Also: Biometrics vs. passcodes: What lawyers recommend if you’re worried about warrantless phone searchesA BFU phone remains connected to Wi-Fi or mobile data, meaning that if you lose your phone and it reboots, you’ll still be able to use location-finding services. Apple introduced a similar feature for iPhones last year. More