Information Technology

Image: Ubiquiti Networks
Networking equipment and IoT device vendor Ubiquiti Networks has sent out today notification emails to its customers informing them of a recent security breach.

“We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” Ubiquiti said in emails today.
The servers stored information pertaining to user profiles for account.ui.com, a web portal that Ubiquiti makes available to customers who bought one of its products.
The site is used to manage devices from a remote location and as a help and support portal.
According to Ubiquiti, the intruder accessed servers that stored data on UI.com users, such as names, email addresses, and salted and hashed passwords.
Home addresses and phone numbers may have also been exposed, but only if users decided to configure this information into the portal.
How many Ubiquiti users are impacted and how the data breach occurred remains a mystery.

It is currently unclear if the “unauthorized access” took place when a security researcher found the exposed data or was due to a malicious threat actor.
A Ubiquiti spokesperson did not immediately return a request for comment send before this article’s publication.
Despite the bad news to its customers, Ubiquiti said that it had not seen any unauthorized access to customer accounts as a result of this incident.
The company is now asking all users who receive the email to change their account passwords and turn on two-factor authentication.
While initially, some users looked at the emails as a phishing attempt, a Ubiquiti tech support staffer confirmed that they were authentic on the company’s forums.
A full copy of the email is available below, as shared today on social media.

Image: Dangal Son More

Intel Server GPU
Image: Intel
At the 2021 Consumer Electronics Show today, Intel announced it is adding ransomware detection capabilities to its new 11th Gen Core vPro processors through improvements to its Hardware Shield and Threat Detection Technology (TDT).

A partnership with Boston-based Cybereason was also announced, with the security firm expected to add support for these new features to its security software in the first half of 2021.
Both companies said that this would mark the first-ever case where “PC hardware plays a direct role” in detecting ransomware attacks.
How it will all work
Under the hood, all of this is possible via two Intel features, namely Hardware Shield and Intel Threat Detection Technology (TDT). Both are features part of of Intel vPro, a collection of enterprise-centered technologies that intel ships with some of its processors.
Hardware Shield, a technology that locks down the UEFI/BIOS and TDT, a technology that uses CPU telemetry to detect possibly malicious code.
Both of these technologies work on the CPU directly, many layers under software-based threats, such as malware, but also antivirus solutions. The idea behind Intel’s new features is to share some of its data with security software and allow it to spot malware that may be hiding in places where antivirus apps can’t reach.
“Intel TDT uses a combination of CPU telemetry and ML heuristics to detect attack-behavior,” Intel said in a press release today. “It detects ransomware and other threats that leave a footprint on Intel CPU performance monitoring unit (PMU).”

“The Intel PMU sits beneath applications, the OS, and virtualization layers on the system and delivers a more accurate representation of active threats, system-wide,” it added. “As threats are detected in real-time, Intel TDT sends a high-fidelity signal that can trigger remediation workflows in the security vendor’s code.”
According to Intel and Cybereason, this new technology should allow companies to detect ransomware attacks when ransomware strains try to avoid detection by hiding inside virtual machines, since Hardware Shield and TDT run many layers below it.

Image: Intel
Available with 11th Gen Core vPro processors
“Ransomware was a top security threat in 2020, software alone is not enough to protect against ongoing threats,” said Stephanie Hallford, Client Computing Group Vice President and General Manager of Business Client Platforms at Intel.
“Our new 11th Gen Core vPro mobile platform provides the industry’s first silicon enabled threat detection capability, delivering the much needed hardware based protection against these types of attacks,” the Intel exec added.
“Together with Cybereason’s multi-layered protection , businesses will have full-stack visibility from CPU telemetry to help prevent ransomware from evading traditional signature-based defenses.”
To use the new feature, systems administrators only have to use security software that supports it. No changes are required to CPUs because while most vPro features are optional, Intel has recently made Hardware Shield mandatory for all new CPUs starting with its 10th Gen release.
While Cybereason will be the first to support detecting ransomware using hardware indicators, other security vendors will most likely tap into it in the feature.
Today’s news comes after Intel has been investing heavily in security in recent years. In June 2020, Intel also announced it was adding its new Control-flow Enforcement Technology (CET) to CPUs, a feature it said could help protect systems against malware that uses Return Oriented Programming (ROP), Jump Oriented Programming (JOP), and Call Oriented Programming (COP) techniques to infect devices and hijack apps. More

Accenture announced it has acquired Real Protect, a Brazilian provider of managed cybersecurity and security services (MSS) for an undisclosed sum.
The Rio de Janeiro-headquartered firm’s threat monitoring and the ability to detect and respond to incidents are expected to complement Accenture’s offerings in information security.
Daniel Lemos, chief executive at Real Protect, will lead Accenture’s Managed Security Services practice in Latin America.

“We are going to extend [Accenture’s] MSS capabilities, bringing the success we have had to date to add even more value to customers”, said Lemos.
According to research from Accenture, Brazil is a cybercrime epicenter and the firm estimates that security threats could cost companies around the world more than US$100 billion in revenue losses by 2023.
Real Protect was the first company in Latin America to receive the international certification standard from association and certification body for professionals in cloud computing and managed services MSP Alliance.
Real Protect’s approximately 90 cybersecurity professionals provide services to companies in the healthcare, energy, financial services, oil and gas sectors. The team will join the team of 7,000 Accenture Security professionals worldwide.

The acquisition of Real Protect follows Accenture’s buyout of Brazilian technology firm Organize Cloud Labs in August 2020 as part of a move to strengthen its cloud growth strategy. More

Image: ZDNet
Microsoft has released a new version of the Sysinternals package and updated the Sysmon utility with the ability to detect Process Herpaderping and Process Hollowing attacks.

Sysinternals is a collection of apps designed to help system administrators debug Windows computers or help security researchers track down and investigate malware attacks.
The Sysinternals package comes with more than 160 different apps, each useful for a particular task.
One of the most widely used Sysinternal apps is called Sysmon, or System Monitor, which works by logging system-level events (process creations, network connections, and changes to file creation time) to the default Windows event log.
Across the years, the tool has become a must-have for all security researchers, either if they’re involved in defending networks or performing digital forensics and incident response (DFIR) operations. This is because Sysmon allows them to record in-depth logs and then trace the roots of malicious attacks to specific processes and apps.
With today’s release of Sysmon 13.00, Microsoft says that the Sysmon app can now detect and log when malware tampers with a legitimate process.
When this happens, the Sysmon utility will create an alert in the Windows event log with the “EventID 25” identifier. System administrators and security researchers can then scan for this ID and detect what process a malware attack tried to modify.

Image: Olaf Hartong

Microsoft says that under the hood, the new Sysmon EventID 25 triggers “when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access.”
Both of these types of behaviors are usually the indicators of two attacks, one known as Process Herpaderping and the other known as Process Hollowing.
Process Herpaderping is a relatively new technique that was first detailed last year and which describes a method that malware can use to hide the intentions of a process by modifying its content on disk after the image has been mapped, allowing it to pass malicious code in apps that security software designates as safe.
Process Hollowing is an older technique that works the same, but during which malware suspends a legitimate application’s process, “hollows” its content, and then injects its own malicious code to be executed from the trusted service.
While other tools in the Sysinternals package have been used in previous years to detect process hollowing attacks, this marks the first time that support has been added for detecting the newer Process Herpaderping technique, which many security researchers expect to see being used in the wild in the coming years.
Previews of both Sysmon EventID 25 warnings are available below from Mark Russinovich, one of the Sysinternals co-creators, who previewed them last year on Twitter. A deep dive into the new Sysmon 13.00 release and its support for detecting Process Herpaderping and Process Hollowing attacks is available here, from security researcher Olaf Hartong. More

Image: Maria Ten
Cybersecurity firm Bitdefender has released today a free tool that can help victims of the Darkside ransomware recover their encrypted files for free, without paying the ransom demand.
The tool, available for download from the Bitdefender site, along with usage instructions, gives hope to companies that had important files locked and ransomed by one of today’s most sophisticated ransomware operations.
Background into the Darkside group
Active since the summer of 2020, the Darkside group launched and still operates today through ads posted on cybercrime forums.

Image Digital Shadows
The group uses a well-established Ransomware-as-a-Service (RaaS) model to partner with other cybercrime groups.
These groups would apply for the Darkside RaaS and receive a fully functional version of the Darkside ransomware. They would then breach companies using their own chosen methods, install the ransomware, and ask for huge payouts, usually in the realm of hundreds of thousands or millions of US dollars.
This modus operandi isn’t new, and it’s called “big-game hunting” because ransomware gangs usually tend to go after companies, instead of home users, in the hopes of increasing their profits.
In situations where victims didn’t want to pay, Darkside operators leak documents they stole from the victim’s network on a dedicated “leak site,” as a form of punishment and forwarning to other victims who may want to restore from backups instead of paying the crooks.

Image: ZDNet

While the Darkside hasn’t posted the names and data of any new victims on its leak site since before the winter holiday last year, the group is still believed to be active at the time of writing.
According to security researcher MalwareHunter, the most recent activity from the group is an update to its leak site last week during which the Darkside operators added a new section dedicated to journalists, where reporters could register and get in contact with the Darkside gang directly.

DarkSide ransomware’s leak website now has a “Press Center” where press people can register.Also “recovery companies” can register and then they will get more and more discounts after each clients they “helped”…Great news, right?😂@demonslay335 @VK_Intel pic.twitter.com/0wuGkbFGHK
— MalwareHunterTeam (@malwrhunterteam) January 8, 2021

While most Darkside victims have already either paid the ransom demand already or restored from backup months ago, the Darkside decrypter isn’t entirely useless, but far from it.
Will the decrypter lead to a Darkside shutdown?
First and foremost, the tool helps companies recover important files that were encrypted months before and which they weren’t able to restore but still have around, saved on backup drives.
Second, the tool also incurs operational costs to the Darkside gang, which will now have to re-do all its file encryption code to prevent free decryptions.
Third, the tool also deals a major reputational blow to the Darkside RaaS. Many ransomware operations have shut down in the past after the release of a free decrypter, as most of their customers abandoned them for newer and non-decryptable competitors.
As for the victims themselves, the good news is that the free decrypter released today by Bitdefender should, in theory, work for all recent versions of the Darkside ransomware, regardless of the file extension that crooks added at the end of each encrypted file.
This extension is unique per victim, as it’s computed from local characteristics, but that shouldn’t be a problem, Bitdefender said. More

FBI is seeking certain people of interest. See notice at the end of this article.
When hostile actors penetrated the Capitol Building on January 6, they gained access to individual chambers and offices and remained  at large within the Capitol complex for well over two hours.
We have reports that items were stolen. One report comes from acting US Attorney for DC, Michael Sherwin, who stated “items, electronic items were stolen from senators’ offices, documents and … we have to identify what was done to mitigate that.”  My local Senator, Jeff Merkley (D-Ore.), reported that at least one laptop had been stolen. 
Also: Best VPNs
Amid stolen laptops, lost data and potential espionage, the cybersecurity consequences of this attack will take months to sort out. Here’s a look at the cybersecurity issues.  

National security issues
While surveillance undoubtedly tracked many of the hundreds who made it inside the building, we cannot assume we know the exact second-by-second movements of everyone who gained entrance. That means there is absolutely no knowing what actions were taken against digital gear inside the building.
Passwords, documents, access codes, and confidential or secret information may have been stolen. We also need to assume that some computers may have been compromised, with malware loaded onto them. Since malware is key to any systemic penetration, we must assume that bad actors have gained some persistent, hidden, ongoing access to Capitol Building systems.
In all likelihood, only a small number of machines were probably compromised. But given the sensitive nature of information stored on digital gear inside the Capitol, and given that it may be impossible to quickly ascertain which devices were compromised, federal IT personnel must assume that ALL the digital devices at the Capitol have been compromised.

The situation is actually worse than it may appear at first. According to a USA Today timeline, Congress reconvened at 8pm on January 6. It’s likely that staff computer use began mere minutes after Congress reconvened. Obviously, there was no way to completely lift and replace thousands of machines instantly. Therefore, from that moment until now, members and their staff have been using digital devices that may have been compromised. That means that all communications, files, and network connections from and to those devices may have also been compromised.
Physical access raises the stakes
If the Capitol’s computers were penetrated by a traditional malware-driven hack followed by a breach over the Internet, mitigation could have been moderately straightforward, if not inconvenient and painful. Systems could have been scanned for malware, and — in the most sensitive cases — hard drives could have been zeroed or replaced.
But there were hundreds of unauthorized people in the building, people who were photographed having gained access to the desks and private offices of members. These people could have gone anywhere within the building.
We also have to assume that there were some foreign actors who entered the building by blending into the crowd. Yes, I know this sounds paranoid, but hear me out. We know that Russia and other nations have been conducting cyberattacks against America for some time.
We also know that the final congressional certification of ballots for the 2020 presidential election was Constitutionally mandated for January 6 — and because of the heated rhetoric, it was all but a certainty that there would be crowds and unrest.
It is therefore highly likely that enemy (or frenemy) actors were likewise aware of the potential for unrest around the Capitol Building. While the specific details of exactly what would unfold in what order on January 6 was impossible to predict, there’s good reason to expect that international handlers would find it prudent to keep small squads of agents on standby. That way, if the opportunity presented itself, they could surreptitiously insert those agents into the situation.
Therefore, we have to assume that some of the people who penetrated Capitol Hill were probably foreign actors. And from that observation, we have to expect one or more of those foreign actors who made it inside took some physical action against machines normally out of reach.
Physical access is more than stealing computers
Once an enemy agent gains physical access, a lot can happen. And by a lot, I mean stealth attacks that will require the Capitol’s IT teams to use a scorched Earth remediation effort. First, let’s be aware that malware often doesn’t show itself until a set period of time or trigger happens. So machines that seem perfectly fine may well be Trojan horses.
It is possible that machines were opened and thumb drives or even extra drives were placed inside machines, which were then sealed back up. With a power screwdriver, it’s possible to open up the skins of a tower PC, shove a USB stick into an open internal port, and seal the thing back up in a minute or two. These might never be detected.

When Stuxnet destabilized the Natanz centrifuges in IRan, the worm was delivered via USB drives smuggled into the facility. In the case of Capitol security, hundreds of people were inside the Capitol building. An effective attack would simply be to leave random, generic USB drives in various drawers and on various desks. Without a doubt, someone would see the drive, assume it was one of their own, and plug it in. Malware delivered.
There are other physical attacks possible. We’ve talked previously about a USB charger with a wireless keylogger. We’ve written about the Power Pwn, a device that looks like a power strip but which hides wireless network hacking tools. We’ve discussed how a man-in-the-middle attack was launched against EU offices, siphoning Wi-Fi traffic to an illegal listener.
With hundreds of people inside the Capitol Building, devices like these could have been left in place. It could take weeks or months to discover them, especially if they were left as if they were clutter, to be used by random staffers when they need a spare piece of hardware.
What must be done
There are some IT best practices that can reduce the risk. Network micro-segmentation can prevent malware from crossing between zones, for example. But no network-based security practice can completely mitigate a physical attack.
The Capitol Building must be completely scrubbed. All machines must be scanned. Any desktop PC that is not hermetically sealed must be opened and the internals carefully inspected. USB drive slots must be locked, so Capitol Hill staffers can’t plug in random USB drives. The building must be repeatedly scanned on a room-by-room, floor-by-floor basis for radiant signal broadcast.
Congressional staffers must be educated about what to look for, about best practices, and about taking extra care even if it takes extra time.
Every single digital device within the Capitol grounds must be considered suspect. It’s essential that a strong security standing be maintained even after active machines have been tested and scanned, because we need to be on the lookout for delayed threats and attacks that are hiding, waiting for their opportunity to trigger access.
Espionage Act violations
Finally, everyone who participated in the attack, particularly those who penetrated the building, must be prosecuted to the fullest extent of the law and possibly even charged with Espionage Act violations. While some of the participants may have been characterized as “patriots” or angry “fine people,” the fact is that their actions may have provided cover for acts of espionage by our nation’s enemies.
I can hear what you’re saying. “But David, isn’t it being a little paranoid to think other countries would take advantage of our own internal disputes?” Okay, fine. Nobody would say that. Instead, there’d be a lot of fist waving and yelling at me. But for our purposes, let’s go with the civil version.
And no, it’s not a little paranoid. Russia did meddle with the 2016 election. It’s part of basic tradecraft to incite anger and disagreements among a target’s population. We know Russian meddling has contributed to the anger and rage we’re all feeling — although our own politicians certainly leveraged off of it for their own selfish interests.
The Capitol Building attack was absolutely rage and anger based. Given that sowing unrest is a major part of Russia’s playbook, it’s entirely likely that they were very aware of the significance of the January 6 date and were quite prepared to capitalize on it to the fullest extent. And all that brings us to espionage — conducted by foreign actors, but very likely aided and abetted by duped or complicit Americans strung out on a rage high.
Those who stormed Capitol Hill may have violated 18 U.S. Code § 792 – Harboring or concealing persons. This code is simple, stating, “Whoever harbors or conceals any person who he knows, or has reasonable grounds to believe or suspect, has committed, or is about to commit, an offense.” If a case can be made that any of the attackers might merely suspect an external agent would breach the building with them, they’re in violation of this statute.
They may have also violated 18 U.S. Code § 793 – Gathering, transmitting or losing defense information. This is one of the big ones, opening with “Whoever, for the purpose of obtaining information respecting the national defense with intent or reason to believe that the information is to be used to the injury of the United States, or to the advantage of any foreign nation…” Stopping or overturning an election can definitely be considered “to the injury of the United States,” and again, if any of this information is disclosed to a foreign power — even via a photo on Twitter, it’s a serious violation.
It goes on to list a vast array of government resources that, if breached, would be in violation, including “…building, office, research laboratory or station or other place connected with the national defense owned or constructed, or in progress of construction by the United States or under the control of the United States, or of any of its officers, departments, or agencies…” Clearly, the Capitol Building falls under this, especially since congressional committees do deal with highly classified information.
People who commit crimes under these codes “shall be fined under this title or imprisoned not more than ten years, or both.”
It’s with 18 U.S. Code § 794 – Gathering or delivering defense information to aid foreign governments that things start to get serious. The statute begins with “Whoever, with intent or reason to believe that it is to be used to the injury of the United States or to the advantage of a foreign nation,” and, again, blocking the Constitutionally-mandated certification of an election is injurious to the United States.
But here’s where it gets dicey for those who broke in on January 6. The statute continues:

…communicates, delivers, or transmits, or attempts to communicate, deliver, or transmit, to any foreign government, or to any faction or party or military or naval force within a foreign country, whether recognized or unrecognized by the United States, or to any representative, officer, agent, employee, subject, or citizen thereof, either directly or indirectly, any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, note, instrument, appliance, or information relating to the national defense…

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

This statute is very broad, essentially saying that even if delivery is made to someone not officially recognized as a foreign national, or even delivery is made indirectly (say via a friend, an eBay auction, pictures on Instagram, etc.), it’s in violation. So those pictures we saw of desks with documents, screens with email, etc? If any one item in any of those pictures was confidential or classified, and could be seen by a foreign agent, this clause is triggered.
The punishment? Well, let’s let the statute speak for itself: “shall be punished by death or by imprisonment for any term of years or for life.” Ouch!
Let’s be clear here. Most of the attackers were Americans. And as despicable as their actions were — and breaking into and interrupting a Constitutional practice is despicable, regardless of which side of the aisle you’re on — most of them most likely thought they were acting on behalf of the US, not with intent to injure it.
The law often takes into account intent. But when it comes to espionage, the law has a very large hammer. The United States does not take kindly to espionage. With thousands of people in the crowd outside the building and hundreds who broke in, there was no way for those committing the crime to know who their fellow mob members might be at the time. Providing cover for enemy agents, even if it could be argued it was done through naivety or stupidity, is still providing cover for enemy agents. 
This is going to play out for months or years, both in our courts and within the United States Intelligence Community. If any secured information resulting from this breach winds up in any foreign hands, the stakes will go up immeasurably and those good ol’ boys from middle America wearing dad jeans and baseball caps or goat horns, face paint, and fur bikinis may well find themselves subject to the full might and wrath of the United States Government — the very government they tried to overthrow.
You can help
InfraGard posted a recent alert that I’m now sharing with you. The Federal Bureau of Investigation’s Washington Field Office is seeking the public’s assistance in identifying individuals who made unlawful entry into the US Capitol Building on January 6, 2021, in Washington, D.C.
In addition, the FBI is offering a reward of up to $50,000 for information leading to the location, arrest, and conviction of the person(s) responsible for the placement of suspected pipe bombs in Washington, D.C. on January 6, 2021. 
At approximately 1:00 p.m. EST on January 6, 2021, multiple law enforcement agencies received reports of a suspected pipe bomb with wires at the headquarters of the Republican National Committee (RNC) located at 310 First Street Southeast in Washington, D.C.
At approximately 1:15 p.m. EST, a second suspected pipe bomb with similar descriptors was reported at the headquarters of the Democratic National Committee (DNC) at 430 South Capitol Street Southeast #3 in Washington, D.C.
Anyone with information regarding these individuals, or anyone who witnessed any unlawful violent actions at the Capitol or near the area, is asked to contact the FBI’s Toll-Free Tipline at 1-800-CALL-FBI (1-800-225-5324) to verbally report tips. You may also submit any information, photos, or videos that could be relevant online at fbi.gov/USCapitol. You may also contact your local FBI office or the nearest American Embassy or Consulate.

Disclosure: David Gewirtz is a member of InfraGard, a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Singapore is urging citizens to go green and tap digital payment platforms when they dish out monetary gifts to celebrate the upcoming Lunar New Year. This will help reduce carbon emissions currently estimated to be some 330 tonnes as a result of the annual customary practice. 
The Monetary Authority of Singapore (MAS) on Monday said the use of e-hongbaos, apart from being more environmentally friendly, also would facilitate remote gifting amidst safe distancing measures in the ongoing COVID-19 pandemic. In addition, e-gifters would not need to join the queue for physical bank notes. 

MAS’ assistant managing director for finance, risk, and currency, Bernard Wee, noted that the adoption of digital payments grew significantly this past year and proved more convenient than cash. “The coming Lunar New Year offers an opportunity for us to build on this momentum to spread the benefits of e-gifting, and to forge new traditions with our families and friends,” Wee said. 
“E- gifting helps to reduce the queues at banks and also helps to reduce the carbon emissions generated by the production of new notes for each Lunar New Year, estimated to be about 330 tonnes currently,” he said. “This is equivalent to emissions from charging 5.7 million smartphones or one smartphone for every Singaporean resident for five days.” 
MAS added that handing out e-hongbaos would reduce the need to print, and waste, new notes since these typically were returned by the public to banks after each Lunar New Year. 
The industry regulator called on fintech companies to develop and offer various e-gifting applications and services to support the move. It added that the Association of Banks in Singapore would actively promote e-gifting this festive season.
In China, messaging platforms such as WeChat have facilitated and seen increasing adoption of e-hongbaos. Tencent in 2019 said 823 million of its WeChat users sent and received the digital monetary gifts in the first six days of the Lunar New Year, which was up 7% from the previous year. 

MAS last November said eligible non-bank financial institutions in Singapore soon would have direct access to the country’s retail payment platforms, PayNow and FAST. This would enable e-wallet users to make funds transfers between bank accounts and across different e-wallets. Currently, e-wallets can be topped up only via credit or debit cards and funds cannot be transferred between e-wallets. 
To plug this gap, MAS said a new API (application programming interface) payment gateway had been developed under guidelines from the Singapore Clearing House Association (SCHA) and Association of Banks in Singapore (ABS), both of which govern FAST and PayNow, respectively. The API would better fit the technology architecture of banks and non-bank financial institutions, MAS said, adding that direct access to the payment platforms would be effective from February 2021.
RELATED COVERAGE More

Getty Images/iStockphoto
A new trend is emerging among ransomware groups where they prioritize stealing data from workstations used by top executives and managers in order to obtain “juicy” information that they can later use to pressure and extort a company’s top brass into approving large ransom payouts.

ZDNet first learned of this new tactic earlier this week during a phone call with a company that paid a multi-million dollar ransom to the Clop ransomware gang.
Similar calls with other Clop victims and email interviews with cybersecurity firms later confirmed that this wasn’t just a one-time fluke, but instead a technique that the Clop gang had fine-tuned across the past few months.
Making the extortion personal
The technique is an evolution of what we’ve been seen from ransomware gangs lately.
For the past two years, ransomware gangs have evolved from targeting home consumers in random attacks to going after large corporations in very targeted intrusions.
These groups breach corporate networks, steal sensitive files they can get their hands on, encrypt files, and then leave ransom notes on the trashed computers.
In some cases, the ransom note informs companies that they have to pay a ransom demand to receive a decryption key. In case data was stolen, some ransom notes also inform victims that if they don’t pay the ransom fee, the stolen data will be published online on so-called “leak sites.”

Ransomware groups hope that companies will be desperate to avoid having proprietary data or financial numbers posted online and accessible to competitors and would be more willing to pay a ransom demand instead of restoring from backups.
In other cases, some ransomware gangs have told companies that the publishing of their data would also amount to a data breach, which would in many cases also incur a fine from authorities, as well as reputational damage, something that companies also want to avoid.
However, ransomware gangs aren’t always able to get their hands on proprietary data or sensitive information in all the intrusions they carry out. This reduces their ability to negotiate and pressure victims.
This is why, in recent intrusions, a group that has often used the Clop ransomware strain has been specifically searching for workstations inside a breached company that are used by its top managers.
The group sifts through a manager’s files and emails, and exfiltrates data that they think might be useful in threatening, embarrassing, or putting pressure on a company’s management — the same people who’d most likely be in charge of approving their ransom demand days later.
“This is a new modus operandi for ransomware actors, but I can say I’m not surprised,” Stefan Tanase, a cyber intelligence expert at the CSIS Group, told ZDNet in an email this week.
“Ransomware usually goes for the ‘crown jewels’ of the business they are targeting,” Tanase said. “It’s usually fileservers or databases when it comes to exfiltrating data with the purpose of leaking it. But it makes sense for them to go after exec machines if that’s what’s going to create the biggest impact.”
Clop already uses this tactic, REvil too, but scarcely
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told ZDNet that, so far, they’ve only seen tactics like these in incidents involving the Clop ransomware.
“This style of blackmail may be the modus operandi of a particular [Clop] affiliate, and that affiliate could also work for other [ransomware] groups,” Callow told us.
The Emsisoft analyst described this evolution in extortion tactics as “not at all surprising” and “a logical and inevitable progression.”
“Over the last couple of years, the tactics used by ransomware groups have become increasingly extreme, and they now use every possible method to pressure their victims,” Callow said.
“Other tactics include harassing and threatening phone calls to both executives and customers and business partners, Facebook ads, press outreach, and threats to reveal companies’ ‘dirty laundry’.”

But in a similar interview with Evgueni Erchov, director of incident response and cyber threat intel at Arete IR, it appears that an affiliate of the REvil (Sodinokibi) ransomware-as-a-service operations has already adopted this technique from the Clop gang (or this might be the same Clop affiliate which Callow mentioned above).
“Specifically, the threat actor was able to find documents related to ongoing litigations and the victims’ internal discussions related to that,” Erchov told ZDNet.
“Then the threat actor used that information and reached out directly to executives over email and threatened to release the data of the alleged ‘misconduct by the management’ publicly,” Erchov said.
Allan Liska, a senior security architect at Recorded Future, told ZDNet that they’ve only seen this tactic with Clop attacks, but they don’t rule out other ransomware actors adopting it as well.
“Ransomware gangs are very quick to adopt new techniques, especially those that make ransom payment more likely,” Liska said.
“It also makes sense in the evolution of extortion tactics, as ransomware gangs have gone after bigger targets they have had to try different ways of forcing payment.
“Leaking stolen data is the one everyone is aware of, but other tactics, such as REvil threatening to email details of the attack to stock exchanges, have also been tried,” Liska said.
Not always truthful
However, Bill Siegel, the CEO and co-founder of security firm Coveware, said that in many cases, the data used in these extortion schemes aimed at a company’s management aren’t always truthful or living up to expectations.
“They [the ransomware groups] make all sorts of threats about what they may or may not have,” Siegel told ZDNet.
“We have never encountered a case where stolen data actually showed evidence of corporate or personal malfeasance. For the most part, it is just a scare tactic to increase the likelihood of payment,” Siegel said.
“Let’s remember these are criminal extortionists. They will say or claim all sorts of fantastical things if it makes them money.”
ZDNet would also like to thank security firm S2W Lab for their help on this article. More