Information Technology

Victims of ransomware attacks are paying higher ransoms than ever before, but there are signs that organisations are starting to take heed of cybersecurity advice, making them more resilient to cyber criminals. According to analysis by cybersecurity researchers at Sophos, the average ransom payment made by victims to choose to pay cyber criminals for a decryption key to restore their files and servers following a successful ransomware attack has increased to $812,260 – an almost five-fold increase compared with the 2020 average of $170,000. And the proportion of victims who pay ransoms of over $1 million has also risen substantially, up from 4% of ransom payments in 2020 to 11% in 2021 – meaning one in ten successful ransomware attacks is providing cyber criminals with a million dollar pay day. According to analysis by Sophos, just under half of ransomware victims pay the ransom, perceiving it to be the quickest way to restore the network – even though decryption keys provided by cyber criminals can’t be trusted and paying a ransom might just show that the victim is an easy target who could be extorted again. Ransomware attacks continue to be successful because cyber criminals can still exploit common cybersecurity vulnerabilities to enter networks and carry out campaigns. But while ransomware is still a major cybersecurity issue, there are signs that the situation could be about to get better.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)”I’m a little optimistic for the first time in years about ransomware – I think we might be at the peak of our worst right now and I’m hoping we start to turn a corner,” Chester Wisniewski, principal research scientist at Sophos told ZDNet, citing how government bodies like the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have stepped in in “a meaningful way” to provide accessible and useful advice on how to improve cybersecurity. “The advice they’re giving and the things they’re doing are actually helping – I don’t think enough organisations are listening to them yet, but at least the resources are accessible, approachable and usable, so it’s a good start,” he said In addition to this, cyber insurance providers are demanding better security preparations from companies before issuing policies, while Wisniewski says the US sanctions against Russia following its invasion of Ukraine has had an impact on American businesses which do not want to pay ransoms to cyber criminals who are often working out of that region. “We’re seeing it being a really serious motivator for American companies and insurance companies to not pay ransoms,” said Wisniewski But while there are some encouraging signs, it’s unlikely ransomware is going away anytime soon.  The reason ransomware is so lucrative for cyber criminals is because there are victims who pay the ransoms. And if there are organisations out there who are vulnerable to cyber attacks and are still willing to pay six-figure ransom demands, there’s always going to be ransomware groups trying to exploit this. “I don’t think you’re ever going to deter the hardcore ransomware groups because there’s too much money to be made when they’re getting multi-million dollar hits,” said Wisniewski. “Crooks aren’t going to walk away from that, even if it’s a one in twenty chance – it’s still a million dollars,” he added.  MORE ON CYBERSECURITY More

Bronze President has potentially shifted from Asia to focus on Russia as the invasion of Ukraine continues. Also known as Mustang Panda, TA416, or RedDelta, the Chinese cyberespionage group has been active since at least 2018 and has traditionally focused on gathering intelligence from NGOs, research institutes, and internet service providers (ISPs).

Ukraine Crisis

Past countries and regions on the hit list include Europe, Mongolia, Russia, Vietnam, and South Africa. According to Secureworks Counter Threat Unit (CTU), the group is either “sponsored or at the very least tolerated by the Chinese government” and “appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine.” Recent campaigns have primarily focused on Southeast Asia, with targets infiltrated for “political and economic” data theft and ongoing, long-term surveillance. However, CTU says that Bronze President has now pivoted to Russian speakers alongside European organizations. “This suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the People’s Republic of China (PRC),” the researchers say. Government-sponsored — or, perhaps, tolerated — cyberattackers are tasked with activities that will benefit their government somehow. This often includes intelligence-gathering, spying, and activities that improve situational awareness, especially in times of conflict. These activities don’t only include ‘enemies’ or ‘hostile’ states — it also extends to who a country considers an ally or friend. CTU suggests that the recent Bronze President shift could indicate “an attempt by China to deploy advanced malware to computer systems of Russian officials.”

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Bronze President is suspected of targeting the Russian military. The team analyzed a malicious executable called “Blagoveshchensk – Blagoveshchensk Border Detachment.exe,” which was disguised with a .PDF icon and heavily obfuscated to hide a downloader for PlugX malware. (The city of Blagoveshchensk is close to the Chinese border and is home to part of the Russian military.)If executed, the file will display a decoy document (written in English, oddly), which describes the refugee situation and EU sanctions. In the background, a downloader grabs PlugX from a command-and-control (C2) server previously tied to campaigns in Europe. PlugX is a Remote Access Trojan (RAT) capable of file exfiltration, executing remote command shells, establishing a backdoor, and deploying additional malicious payloads. Bronze President has a wide range of tools, including Cobalt Strike, the China Chopper backdoor, RCSession, and ORat, at its disposal. In March, ESET said the group was taking advantage of the war to spread a new Korplug/PlugX RAT variant, dubbed Hodur, via Ukraine & Russia-themed phishing campaigns. In other cybersecurity news related to Russia and Ukraine, Aqua Security has been tracking the use of cloud repositories by those on both sides of the conflict. The researchers found that 40% of public repositories with descriptions or names linked to the invasion, including tools and guides, promoted denial-of-service (DoS) activities “aimed at disrupting the network traffic of online services.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Chinese drone maker DJI dropped a quick note on Tuesday to state it was suspending operations in Russia and Ukraine. “DJI is internally reassessing compliance requirements in various jurisdictions,” the note said. “Pending the current review, DJI will temporarily suspend all business activities in Russia and Ukraine. We are engaging with customers, partners and other stakeholders regarding the temporary suspension of business operations in the affected territories.” A week earlier, the company said it deplored any harm caused by the use of its products, particularly militarily. DJI said it produces products for consumers, and is “unequivocally opposed” to attempts that mount munition on its drones and has refused customisations for military use. “DJI believes strongly in these principles. Our distributors, resellers, and other business partners have committed to following it when they sell and use our products,” it said. “They agree not to sell DJI products to customers who clearly plan to use them for military purposes, or help modify our products for military use, and they understand we will terminate our business relationship with them if they cannot adhere to this commitment.” In March, Ukrainian Vice Prime Minister and Minister of Digital Transformation Mykhailo Fedorov accused Russia of using DJI drones to kill children, and called on DJI to block products being used in Ukraine that were not brought there, and to block drones purchased and activated in Russia, Syria, and Lebanon. Related Coverage More

Google has commenced the roll out of its new data safety section for Android users on the Play Store. The new section will require app developers to inform users on how they collect data, who has access to that data, and what data is collected.Further information available to users will include whether the developer has qualified their security practices against a global security standard, whether the app has committed to follow Google Play’s Families Policy, and more granular details relating to an app’s security practices such as whether users can ask for data to be deleted. Google will also require developers revise their data safety section when updating the functionality or data handling practices of their apps.  “We heard from users and app developers that displaying the data an app collects, without additional context, is not enough. Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties,” the company said in a blog post.”In addition, users want to understand how app developers are securing user data after an app is downloaded. That’s why we designed the data safety section to allow developers to clearly mark what data is being collected and for what purpose it’s being used. Users can also see whether the app needs this data to function or if this data collection is optional.”Although the roll out of the new section has already commenced, developers have until the July 20 to fill out the section. Moreover, Google encouraged users to access the Android privacy dashboard to manage app permission for the use of location data, microphone, camera options, and to also review data access by apps.The new requirements come a month after Google removed an app with over 100,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users and, additionally, after Google was reportedly fined €2 million by the Paris Commercial Court for acting abusively to developers with apps on the Play Store.Related Coverage More

A prolific botnet has reemerged with new techniques to infect Windows PC with malware. Once described as the most dangerous malware botnet in existence, Emotet helped cyber criminals to distribute malware and ransomware to victims around the world, before being disrupted by a coordinated global law enforcement takedown in January 2021. 

ZDNet Recommends

But Emotet reemerged 10 months later and has resumed campaigns. It is sending out millions of phishing emails in mass spam campaigns, with the aim of infecting devices with malware that ropes them into a botnet controlled by cyber criminals. SEE: A winning strategy for cybersecurity (ZDNet special report)According to cybersecurity researchers at Proofpoint, Emotet appears to be testing new attack techniques at a small scale, which could potentially be adopted for much larger campaigns. These techniques are designed to make attacks more difficult to detect, ultimately increasing the chances of them being successful.  The emergence of new attack techniques has coincided with a period when it seemed widespread Emotet campaigns were put on hold, with new activity occurring at low volume. One of these new campaigns exploits compromised email accounts to send out spam-phishing emails with one-word subject lines – researchers note that one of them is simply ‘Salary’, a subject line that could encourage a user to click out of curiosity. The message bodies contain only a OneDrive URL, which hosts zip files containing Microsoft Excel Add-in (XLL) files with a similar name to the email subject line. If the XLL files are opened and executed, Emotet is dropped on the machine, infecting it with malware. Emotet can be used to steal information from victims and serves as a backdoor for deploying other malware onto the compromised Windows system – it has commonly been used as a backdoor to deploy ransomware attacks. What makes this campaign distinct from previous Emotet campaigns is the use of OneDrive URLs – typically, Emotet attempts to spread itself via the use of Microsoft Office attachments or phishing URLs that link to Office files. The use of XLL files is also unusual, as Emotet has traditionally been distributed using Microsoft Excel or Word documents containing Visual Basic for Applications (VBA) scripts or macros.SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upThis switch comes after Microsoft announced it would begin blocking macros obtained from the internet by default from April. That move is part of an effort to help protect users from a technique commonly used in phishing attacks, so gangs are likely testing new techniques to get around this. “After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.”Organisations should be aware of the new techniques and ensure they are implementing defenses accordingly,” she added. ZDNet has contacted Microsoft for comment. MORE ON CYBERSECURITY More

The White House has laid out its plans to give more authorities the power to respond to nefarious drone activity.The administration says while drones – or unmanned aircraft systems (USA) – have become useful for research, recreation and business, they’ve also become risks to public safety, privacy and homeland security. 

“Malicious actors have increasingly used UAS domestically to commit crimes, conduct illegal surveillance and industrial espionage, and thwart law enforcement efforts at the local, state and federal level,” it warns.SEE: The best drone accessories: Truly useful must-havesTo address the risks of rogue UAS, the White House wants to broaden powers of federal agencies that can already use technology to counter or neutralize bad drones, and expand authorization of the use of drone-detection technology, such as RF jammers, below the federal level.The White House has called on Congress to enact legislation outlined in the administration’s eight-point Domestic Counter-Unmanned Aircraft Systems National Action Plan “to close critical gaps in existing law and policy” that impede counter-rogue drone capabilities. The plan seeks to “expand where we can protect against nefarious UAS activity, who is authorized to take action, and how it can be accomplished lawfully,” the White House said in a statement.     The plan seeks to expand the existing counter-UAS powers available to Departments of Homeland Security (DHS), Justice, Defense, State, the Central Intelligence Agency and NASA “in limited situations”. It also wants to authorize the use of UAS detection technology for state and local and, notably, for critical infrastructure owners and operators. Currently, non-federal entities need to seek assistance from authorized entities like DHS to respond to a drone threat.    To avoid detection activity disrupting airspace and communications spectrum, the plan calls for the creation of a US government authorized-detection equipment list. It also wants a federal UAS incident-tracking database for departments and agencies to see the overall domestic threat. 

Commercial drones have caused several public safety incidents in recent years. Ahead of the Christmas break in 2018, hundreds of flights were cancelled at London’s Gatwick Airport following reports of a drone sighting near the airport: researchers found a drone striking an aircraft could create structural damage to parts of a wing. A year later, the UK government funded 18 counter-drone and drone technology projects overseen by the UK’s Ministry of Defence. NATO Communications and Information Agency (NCI Agency) in November tested 70 counter-drone systems that track and neutralize drones. One of them used a NATO-controlled drone “hunter” to track another drone and cast a net on the target to bring it down.   In the US, per Associated Press, Newark Liberty International Airport halted all landings in January 2019 after a drone sighting nearby. In 2015, drones crashed on the White House grounds in two separate incidents, prompting calls for the Federal Aviation Administration (FAA) to regulate recreational drone use. Today, the FAA requires recreational drone operators to register their identity with the FAA if the aircraft is 55 pounds or heavier. About 1.14 million recreational owners registered an estimated 1.44 million aircraft in use in December 2020, according to the FAA.Biden’s plan also calls for a comprehensive criminal statute to establish legal and illegal uses of UAS, and to close loopholes in existing federal law, while creating penalties to deter the most serious UAS-related crimes.  More

A security vulnerability that was left unpatched for three years allowed a notorious cyber-criminal gang to breach a network and plant ransomware. The BlackCat ransomware attack against the undisclosed organisation took place in March 2022 and has been detailed by cybersecurity researchers at Forescout who investigated the incident. 

BlackCat ransomware – also known as ALPHV – is becoming one of the most active ransomware groups currently, to the extent that the FBI has released an alert about it, warning how the group has compromised at least 60 victims around the world. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)While BlackCat has a reputation for running a sophisticated ransomware operation, it was a simple technique that allowed malicious cyber criminals to gain initial access to the network – exploiting an SQL injection vulnerability in an internet-exposed unpatched and end-of-life SonicWall SRA appliance. A security patch has been available to fix the vulnerability since 2019, but it hadn’t been applied in this case, providing cyber criminals with an easy entry point into the network.  From there, the attackers were able to gain access to usernames and passwords, using them to gain access to ESXi servers, where the ransomware payload was ultimately deployed.  BlackCat deploys several techniques not used by other ransomware groups designed to make attacks successful. For starters, the ransomware is written in the Rust programming language, which is unusual for malware and makes it more difficult to detect and examine. The ransomware also uses a unique binary for each victim, based around information found in the target environment. The unique binary makes it more difficult to identify attacks as the code used in each campaign will be slightly different.  “A unique binary that is not general for each victim makes the detection harder,” Daniel dos Santos, head of security research at Forescout, told ZDNet.  In the case of the March 2022 incident, the attack was partially successful. BlackCat ransomware successfully encrypted servers and files, but the attack wasn’t able to spread to other parts of the network because it had been segmented. While the attackers could control one area of the network, they couldn’t move into other sections. “The segmentation was actually well done in this case and that’s why it was contained,” said dos Santos, who added that this attack using BlackCat ransomware-as-a-service appeared to have been carried out by a cyber criminal who was still learning how to conduct attacks properly. “The impression we got is that the affiliate that was running the actual malware wasn’t very experienced”. SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyHowever, despite the inexperience of the attacker, some servers were still infected with malware. While no ransom was paid, and the network segmentation reduced the impact of the attack, the whole incident could have been avoided if some basic cybersecurity hygiene advice had been followed. Those steps would have included applying the relevant security updates to fix a vulnerability that was first disclosed in 2019. “The biggest lesson here is patch the network infrastructure – whatever is facing the internet, it’s always important for it to be fully patched,” said dos Santos. It’s also recommended that organisations monitor their networks for external access from known IP addresses or unusual patterns of behavior. In addition, businesses should backup their servers regularly. Then, if something happens, the network can be restored to a recent point without needing to pay a ransom. MORE ON CYBERSECURITY More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Workers inside the Bored & Hungry restaurant in Long Beach, California. Bored & Hungry is a pop-up burger restaurant using art from the Bored Ape Yacht Club NFT collection for it’s branding. 
Image: Bing Guan/Bloomberg via Getty Images
Bored Ape Yacht Club (BAYC), the purveyors of expensive template-based ape non-fungible tokens, announced on Monday that its Instagram account had been taken over and used to siphon off cryptoassets. “The hacker posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer’s wallet in order to participate in a fake airdrop,” BAYC creators Yuga Labs said in a statement. “Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m. We are actively working to establish contact with affected users.” On Twitter, it said once the attack was discovered, links to the Instagram account were removed before it regained control of the account. BAYC said it was looking into how the attack occurred and would be posting a full post mortem.”At the time of the hack, two-factor authentication was enabled and security surrounding the IG account followed best practices,” it said, before contradicting its statement on reaching out to affected users. “If you were affected by the hack or have information that might be helpful, reach out to ighack@yugalabs.io. You need to contact us first — anybody contacting you first is not us. We will NOT reach out to anyone over email first, and we will NEVER ask for your seed phrase.” BAYC added it would only be announcing mint events on Twitter and its announcement Discord channel. In March, the company said it was looking to help launch ApeCoin, and had raised $450 million to build out a metaverse project that would integrate avatars from a number of NFT projects. Yuga Labs has also recently acquired CryptoPunks and Meebits from Larva Labs. Related Coverage More