Eliana Willis

Victims of ransomware spent nearly $700 million paying off their attackers in 2020, according to a new report from blockchain analysis firm Chainalysis. 

In the company’s last report, they pegged the figure at around $350 million, but increased the figure “due to both underreporting by ransomware victims and our continuing identification of ransomware addresses that have received previous victim payments.”Right now, the latest figures show more than $692 million was spent on ransomware payments in 2020. For 2021, they have already tracked over $602 million worth of ransomware payments but noted that like 2020, it is an underestimate.”In fact, despite these numbers, anecdotal evidence, plus the fact that ransomware revenue in the first half of 2021 exceeded that of the first half of 2020, suggests to us that 2021 will eventually be revealed to have been an even bigger year for ransomware,” Chainalysis said. The report also listed the most prolific ransomware groups by total payments received, finding that Conti led the way with at least $180 million made from ransoms. 
Chainalysis
The report notes that conversely, law enforcement agencies have made some headway in getting ransoms back, giving organizations even more incentive to report attacks. Unfortunately, 2021 also saw more active individual ransomware strains than any other year on record, according to the blockchain research organization. Their data shows that at least 140 ransomware strains received payments from victims at some point in 2021. The number was 119 in 2020 and 79 in 2019. 

The researchers added that more than ever, groups were also shutting down and restarting under new names, providing one explanation for the increase in ransomware strains. The average number of days a ransomware strain stayed active in 2021 was 60, far lower than the 168 days in 2020 and 378 in 2019. Chainalysis claimed one criminal group — Evil Corp — had some amount of ties to the Doppelpaymer, Bitpaymer, WastedLocker, Hades, Phoenix Cryptolocker, Grief, Macaw, and PayloadBIN ransomware strains. The researchers were able to tie some of the ransomware groups based on their cryptocurrency transaction histories.The company estimates that Evil Corp made at least $85 million from its various ransomware strains. 

ZDNet Recommends

Now that more ransomware groups are targeting larger, more profitable organizations, the average ransomware payment size increased to over $118,000 in 2021, up from $88,000 in 2020 and $25,000 in 2019, according to the company’s data. Most ransomware groups appear to send their ransoms to centralized exchanges or mixers as a way to launder their stolen funds. Chainalysis said more than half of the funds sent from ransomware addresses since 2020 have wound up at one of six cryptocurrency businesses: three large international exchanges, one high-risk exchange based in Russia, and two mixing services.Chainalysis also included a rundown of their involvement in the investigation of the ransomware attack on Colonial Pipeline last May. The company helped the FBI track the 75 bitcoin Colonial Pipeline paid to DarkSide, and eventually the Justice Department was able to claw back about $2.3 million of the ransom. The address that initially received the ransom transferred it to accounts controlled by DarkSide’s administrators, who then sent 63.7 bitcoin to the affiliate who led the attack. The affiliate had previously received payments from addresses associated with NetWalker, another ransomware strain disrupted by law enforcement in January 2021.That affiliate received 595.3 bitcoin in four different chunks from the NetWalker administrator in late May and early June of 2020.”After tracking the funds to the affiliate’s address, FBI investigators were able to seize the funds on May 28, 2021,” the researchers said. “The seizure represents a huge step forward in the fight against ransomware, and especially ransomware strains that attack our critical infrastructure.” More

Network security and content delivery network provider Cloudflare this afternoon reported Q4 revenue that topped expectations and profit that narrowly beat Wall Street’s forecast. Revenue in Q4 rose 54%, year over year, to $193.6 million, yielding an EPS of $0.00. Analysts had been modeling $184.7 million and and a loss per share of -$0.01.

The report sent Cloudflare shares up nearly 7% in late trading. For the full year, the company saw a revenue of $656.4 million, a 52% year-over-year increase, and a non-GAAP net loss of $15.1 million.”The full year represented a 52% year-over-year increase in revenue growth and a 71% year-over-year increase in large customer growth. It was also the fifth straight year we achieved 50%, or greater, compounded growth,” said Matthew Prince, co-founder and CEO of Cloudflare. “Our continued success is fueled by a culture of relentless innovation on top of a highly scalable platform. That’s why we’re uniquely positioned to extend our network, introduce new Zero Trust capabilities, and grow our total addressable market. We’ve never been more motivated to take on this huge opportunity as corporate networks transition to the cloud, and developers line-up to build on our edge.”

In Q1, Cloudflare expects a revenue between $205 million and $206 million as well as a non-GAAP net income per share of $0.00 to $0.01. In fiscal 2022, the company is aiming for a revenue between $927 million and $931 million. They predicted a non-GAAP net income per share between $0.03 and $0.04. The company also announced on Thursday that it is acquiring security company Vectrix for an undisclosed sum. 

Tech Earnings More

Credit: Microsoft
As of today, Windows Insider testers in the Beta and Release Preview channels now can kick the tires of some of the new features that Microsoft officials have promised to roll out to mainstream users in February.Windows 11 build 22000.526 (KB5010414) includes a bunch of fixes. It also includes previews of the weather widget, which will be on the left side of the task bar; the ability to share open application windows directly from taskbars to a Teams call; and the ability to instantly mute and unmute Teams calls from the taskbar. Today’s test build also includes a feature that Microsoft ended up cutting from Windows 10 21H2 just before it rolled out: Windows Hello for Business Cloud Trust. Microsoft’s blog post explains Hello for Business Cloud Trust this way: “This is a new deployment model for hybrid deployments of Windows Hello for Business. It uses the same technology and deployment steps that support on-premises single sign-on (SSO) for Fast IDentity Online (FIDO) security keys. Cloud Trust removes the public-key infrastructure (PKI) requirements for deploying Windows and simplifies the Windows Hello for Business deployment experience.” Build 22000.526 also adds the requested ability to see the clock and date on the taskbars of connected monitors. It includes a substantial number of additional fixes that are detailed in the blog post.Microsoft officials said a couple of weeks ago that they planned to release several new features in February to Windows 11 users — well ahead of the Windows 11 22H2 feature update expected around October this year. Officials said mainstream Windows 11 users (not Insider testers) will get a public preview of Android apps on Windows 11, taskbar improvements with call mute and unmute, easier window sharing, and the weather icon on the taskbar. (Plus, users will get the redesigned Notepad and Media Player apps in February.) Microsoft plans to deliver these various features to users’ PCs using its Feature Experience Pack, Online Service Experience Pack, and Web Experience Pack mechanisms, officials said.

Windows 11 More

Apple
Apple on Thursday laid out a series of steps it’s taking to address privacy and safety issues related to

AirTags

, following reports that the devices have been used for malicious and criminal activity. Some of the more significant changes will come later this year. Apple plans to alert users more quickly when an unwanted device may be traveling with them and also plans to make it easier to find those devices with louder tones and precision finding. 

With precision finding, iPhone 11, iPhone 12, and iPhone 13 users will be able to see the distance and direction to an unknown AirTag when it is in range. The feature relies on input from the phone’s camera, ARKit, accelerometer, and gyroscope. In the meantime, Apple is taking more incremental steps to address the problem. First, in an upcoming software update, users setting up their AirTags for the first time will see a new privacy warning. The new message states that using AirTags to track people without consent can be a crime, that the AirTag is designed to be detected by victims, and that law enforcement can request identifying information about the owner of the AirTag.Apple said it’s been “actively working with law enforcement on all AirTag-related requests [it has] received,” providing user information in response to subpoenas or valid requests. The company is also updating the alert users receive when possibly unwanted

AirPods

have been traveling with them. Instead of receiving an “unknown accessory” alert, users will receive a message that AirPods are traveling with them. Also: How tech is a weapon in modern domestic abuse — and how to protect yourself

Lastly, Apple is updating its unwanted tracking support article to communicate the safety features built into AirTags, AirPods, and Find My network accessories. This isn’t the first time Apple has acknowledged problems associated with AirTags. Just last month, the company updated its Personal Safety User Guide in an attempt to better help customers and potential victims understand what to do if they find an unwanted AirTag.The update followed a spate of local and national news reports about stalking incidents and auto theft attempts involving AirTags. The reports typically involve someone finding an unknown AirTag secreted away in a handbag, tucked behind their vehicle’s license plate, or stashed somewhere else that will help a criminal track their location.While Apple is starting to address the issue, there are more significant steps they could take to protect consumers, as Adrian Kingsley-Hughes recently noted on ZDNet. As he suggested, Apple could work with Google to bring comprehensive tag tracking to both iOS and Android. Additionally, he said, Apple could make it harder to modify AirTags. Meanwhile, as ZDNet’s Michael Gariffo noted, this problem isn’t strictly about Apple devices. Products from

Tile,

Samsung,

and other brands with similar tracking capabilities, including

devices to track lost pets,

could be used for malicious purposes. More

Adobe urged customers using the Magento 1 e-commerce platform to upgrade to the latest version of Adobe Commerce after security company Sansec detected a mass breach of over 500 stores running the platform.

ZDNet Recommends

In a statement to ZDNet, Adobe said it ended support for Magento 1 on June 30, 2020. “We continue to encourage merchants to upgrade to the latest version of Adobe Commerce for the most up-to-date security, flexibility, extensibility, and scalability,” an Adobe spokesperson said. “At a minimum, we recommend Magento Open Source merchants on Magento 1 to upgrade to the latest version of Magento Open Source (built on Magento 2), to which Adobe contributes key security updates.”On Tuesday, Sansec released a report revealing that hundreds of stores were the victims of a payment skimmer loaded from the naturalfreshmall.com domain. 

More than 350 ecommerce stores infected with malware in a single day.Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.— Sansec (@sansecio) January 25, 2022

“We invited victims to reach out to us, so we could find a common point of entry and protect other merchants against a potential new attack. The first investigation is now completed: attackers used a clever combination of an SQL injection (SQLi) and PHP Object Injection (POI) attack to gain control of the Magento store,” the researchers explained. “Attackers abused a (known) leak in the Quickview plugin. While this is typically abused to inject rogue Magento admin users, in this case the attacker used the flaw to run code directly on the server.”

In their examination of one attack, researchers found the threat actor left 19 backdoors on the system. They recommended victims use a malware scanner to identify all of the instances of malicious files or Magento code that had malicious code added to them.

Sansec noted that even though Adobe has ended support for Magento, thousands of businesses still use it. Magento has long been a source of issues for Adobe and the online merchants who use it. In November, the National Cyber Security Centre (NCSC) identified a total of 4,151 retailers that had been compromised by hackers attempting to exploit vulnerabilities on checkout pages to divert payments and steal details. The majority of the online shops that cybercriminals exploited for payment-skimming attacks were compromised by known vulnerabilities in the e-commerce platform Magento. In February 2021, Magento received a slew of security fixes from Adobe. Specifically, Magento Commerce and Magento Open Source on all platforms were subject to a total of 18 bugs, varying in severity from critical to moderate. More than 2,000 Magento online stores were hacked in September 2020, attacks that were also spotted by Sansec at the time. Attacks against sites running the now-deprecated Magento 1.x software were anticipated by Adobe, which issued the first alert in November 2019 about store owners needing to update to the 2.x branch.Adobe’s initial warning about impending attacks on Magento 1.x stores was later echoed in similar security advisories issued by Mastercard and Visa.Even the FBI warned in 2020 that hackers were exploiting a three-year-old vulnerability in a Magento plugin to take over online stores and plant a malicious script that records and steals buyers’ payment card data. More

Two powerful forms of Android malware are being spread in attacks which share the same infection tactics and delivery infrastructure.Detailed by cybersecurity researchers at ThreatFabric, the campaigns involves FluBot malware – also known as Cabassous – and another Android banking trojan, Medusa.FluBot is one of the most notorious forms of Android malware, which steals passwords, bank details and other sensitive information from infected smartphones. It also gains access to contact books in order to spread itself to other victims via malicious SMS messages, which are often designed to look like an alert about a missed package delivery. FluBot is so prolific that national cybersecurity agencies have issued warnings about it. The success of FluBot has also been noticed by other cyber criminals, to the extent that those behind Medusa – which is designed to steal sensitive information via keylogging, taking screenshots and collecting data about how the phone is used – have copied its techniques for spreading their malware.Medusa campaigns have been seen using the same app names, package names and similar icons used in successful FluBot campaigns, including one which delivers links to malware in messages which claim to come from DHL. But Medusa campaigns don’t just look the same as FluBot attacks, they’re being delivered via the same SMSishing service. The malware isn’t new, it first emerged in 2020, but the adoption of new tactics could see Medusa become a common threat for Android users.

“Despite the fact that Medusa is not extremely widespread at the moment, we do see an increase in volume of campaigns and a sufficiently greater number of different campaigns,” warn ThreatFabric researchers. SEE: A winning strategy for cybersecurity (ZDNet special report)While FluBot malware campaigns tend to be restricted to victims in Europe, Medusa has a more widespread focus. The malware initially started out by focusing on Turkey, but now it’s also targeting users in North America and Europe.”Powered with multiple remote access features, Medusa poses a critical threat to financial organisations in targeted regions,” said researchers.However, the additional spread of Medusa doesn’t mean that FluBot is about to become any less of an issue. Researchers note that the creators of FluBot continue to add additional functionality, including the ability to replace or interact with app notifications. This enables the attackers to manipulate applications, allowing them both to direct users towards apps they want to steal information from, and also take control of messaging apps.Both Medusa and FluBot remain a threat to Android users but there are steps which can be taken in an effort to avoid becoming a victim. One of those is that it’s unlikely that any company will ask you to download an application from a direct link, so any unexpected text message asking you to download a link should be regarded with caution. As long as users don’t click on the links, they’ll avoid infection.MORE ON CYBERSECURITY More

The FritzFrog botnet has reappeared with a new P2P campaign, showing growth of 10x within only a month.FritzFrog is a peer-to-peer botnet discovered in January 2020. Over a period of eight months, the botnet managed to strike at least 500 government and enterprise SSH servers.

ZDNet Recommends

The P2P botnet, written in the Golang programming language, is decentralized in nature and will attempt to brute-force servers, cloud instances, and other devices — including routers — that have exposed entry points on the internet.  On Thursday, cybersecurity researchers from Akamai Threat Labs said that despite having gone quiet after its previous attack wave, since December, the botnet has reappeared with an exponential growth surge.  “FritzFrog propagates over SSH,” the researchers say. “Once it finds a server’s credentials using a simple (yet aggressive) brute force technique, it establishes an SSH session with the new victim and drops the malware executable on the host. The malware then starts listening and waiting for commands.” In total, 24,000 attacks have been detected to date. And 1,500 hosts have been infected, the majority of which are located in China. The botnet is used to mine for cryptocurrency.Healthcare, education, and government sectors are all on the target list. Thanks to new functionality and the usage of a proxy network, the malware is also being prepared to hone in on websites running the WordPress content management system (CMS). 

A TV channel in Europe, a Russian healthcare equipment manufacturer, and universities in Asia have been compromised. 

Akamai considers FritzFrog a “next-generation” botnet due to a number of key features. This includes consistent update and upgrade cycles, an extensive dictionary used in brute-force attacks, and its decentralized architecture, which is described as “proprietary.” In other words, the botnet doesn’t rely on other P2P protocols to function.  The latest FritzFrog is updated daily — sometimes more than once a day. Alongside bug fixes, the operators have included the new WordPress function to add websites based on this CMS to a target list. However, at the time of writing, the lists are empty, which suggests this is an attack feature in the development pipeline.  Akamai isn’t certain of the botnet’s origin, but there are some indicators that the operators are either based in China or are impersonating operators in the country. A newly-added file transfer library, for example, links to a GitHub repository owned by a user in Shanghai.  In addition, the botnet’s cryptocurrency mining activity links to wallet addresses also used by the Mozi botnet, in which operators were arrested in China.  The cybersecurity firm has provided a FritzFrog detection tool on GitHub.Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Windows 10 users need to be cautious about fake Windows 11 installers that are being used to spread the info-stealing RedLine malware.RedLine is not especially sophisticated malware but can steal passwords and is sold as an online service for $150 a month to people who want to steal cryptocurrency like Bitcoin or Ethereum. 

Crooks use numerous tricks to get the unwary to download it, and now HP has now found them using fake promises of Windows 11 upgrades as a lure to trick PC users into install the malware. Microsoft has set a high bar for hardware that is eligible for the upgrade to Windows 11 and leans towards newer processors. Few devices were initially eligible but Microsoft recently announced it was accelerating the roll out to meet unexpected demand.    In this case, the hackers tried to used Microsoft’s January 26 announcement that it was “entering its final phase of availability and is designated for broad deployment for eligible devices” as an angle, as they registered their own fake domain the day after.HP security researchers found that RedLine actors registered a fake domain in the hope of tricking Windows 10 users into downloading and running a fake Windows 11 installer. The attackers copied the design of the legitimate Windows 11 website, except clicking on the “Download Now” button downloads a suspicious zip archive. “The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, an information stealing malware family that is widely advertised for sale within underground forums,” Patrick Schläpfer, a malware analyst for HP’s Wolf security team said. 

The domain name for the bogus Windows 11 upgrade page was registered with a Russian registrar; Microsoft’s actual Window 11 upgrade page is hosted on a Microsoft.com domain. The malware aims to steal stored passwords from web browsers, auto-complete data such as credit card information, as well as cryptocurrency files and wallets. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Microsoft has been streamlining its Windows feature upgrades, including making it more like a Patch Tuesday for ‘N-minus-1’ upgrades, but the criminals in this case far outperformed reality product with a minute compressed malicious installer of just 1.5MB of data, although after decompression, the folder size was 753 MB, a feat impressing HP’s malware analyst. “Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible,” writes Schläpfer. He also noted the use of a junk 0x30 byte “filler area” of the file that served no other apparent purpose than evading detection from antivirus. “One reason why the attackers might have inserted such a filler area, making the file very large, is that files of this size might not be scanned by an anti-virus and other scanning controls, thereby increasing the chances the file can execute unhindered and install the malware,” he notes. The Windows 11 ruse is typical of RedLine’s operators, who’ve made a cheap and nasty malware service for non-techies to use. In December, it was riding off the branding of the hugely popular messaging app Discord. HP notes: “Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trustworthy sources.” More