home.social

#stopransomware — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #stopransomware, aggregated by home.social.

  1. 13 Nov. CISA: "in collaboration with the Federal Bureau of Investigation, Dept of Defense Cyber Crime Center, Dept of Health & Human Services, & international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware" www.cisa.gov/news-events/... #cybersec #tech

    CISA and Partners Release Advi...

  2. Good day everyone!

    As you know I am a big advocate for threat hunting and I like to post the articles that I read related to it but there is a bigger picture that I normally leave out because of my perspective. As a threat hunter I like to look at behaviors and artifacts (Indicators of Attack) and the MITRE ATT&CK Matrix but something I should probably start talking more about is the overall picture of the Threat Hunting Life-cycle. Really, this was brought about because of the joint advisory from Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI) as well as the Australian Government they released on the #Play Ransomware. This isn't the first time that I have read it and hopefully wont be the last simply because of these couple of lines:

    "June 4, 2025: The advisory was updated to reflect new TTPs employed by Play ransomware group, as well as provide current IOCs/remove outdated IOCs for effective threat hunting." Above it they mention that the original advisory was published in December 18, 2023 but the fact that they are returning to the these and updating them with new TTPs and providing new IOCs is a GREAT example of the Threat Hunting Life-cycle.

    So if you do have a threat hunting program in your environment, maybe implement something similar to your hunts if you haven't do so already. Revisit the hunts that have been conducted already in your environment and see if the information within is still current and if not, update it accordingly! Have a wonderful day and Happy Hunting!

    #StopRansomware: Play Ransomware
    cisa.gov/news-events/cybersecu

    Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #ransomware #readoftheday

  3. Nuovo report FBI: Medusa Ransomware colpisce 300 vittime in pochi mesi!

    Il presente articolo si basa su un documento congiunto pubblicato da FBI, CISA e MS-ISAC nel marzo 2025, nell’ambito della campagna #StopRansomware. Il report fornisce dettagli sulle tattiche, tecniche e procedure (TTP) utilizzate dal ransomware Medusa, insieme agli indicatori di compromissione (IoC) e alle raccomandazioni per la mitigazione. La finalità di questa analisi è sensibilizzare le organizzazioni sulle minacce emergenti e fornire strumenti concreti per la protezione delle infrastrutture critiche.

    Medusa Ransomware


    Medusa Ransomware si conferma come una delle minacce più attive nel panorama cybercriminale globale. Identificato per la prima volta nel giugno 2021, Medusa ha adottato un modello di Ransomware-as-a-Service (RaaS), evolvendosi in una rete distribuita di affiliati che colpiscono settori critici come sanitario, educativo, legale, assicurativo, tecnologico e manifatturiero. La recente analisi condotta da FBI, CISA e MS-ISAC rivela che, a febbraio 2025, il ransomware ha già colpito oltre 300 organizzazioni a livello internazionale.

    Medusa Ransomware si distingue per l’impiego di tecniche avanzate per ottenere l’accesso iniziale, muoversi lateralmente nei sistemi infetti ed esfiltrare dati sensibili. Il suo schema di attacco segue il modello della doppia estorsione: non solo i file vengono criptati, ma i dati sottratti vengono minacciati di pubblicazione nel dark web in caso di mancato pagamento del riscatto.

    Tecniche di Attacco


    Gli attori di Medusa si avvalgono di:

    • Phishing e vulnerabilità non patchate: sfruttano vulnerabilità note come CVE-2024-1709 e CVE-2023-48788 per ottenere accesso ai sistemi.
    • Strumenti LOTL (Living Off The Land): software legittimi come PowerShell, WMI e Advanced IP Scanner vengono utilizzati per la persistenza ed evasione.
    • Movimento laterale e esecuzione remota: impiegano strumenti come PsExec, RDP e software di accesso remoto come AnyDesk, ConnectWise, Splashtop.
    • Cancellazione delle tracce: eliminano i log di PowerShell e utilizzano tecniche di offuscamento per evitare il rilevamento.
    • Cifratura e sabotaggio: disattivano Windows Defender e altre misure di sicurezza prima di criptare i file con AES-256 e cancellare le copie shadow.

    Il modello economico di Medusa prevede un portale Tor dedicato dove le vittime possono negoziare il riscatto. In alcuni casi, i criminali hanno richiesto un pagamento aggiuntivo sostenendo che l’importo iniziale era stato sottratto da un altro membro del gruppo, introducendo una forma di tripla estorsione.

    Indicatori di Compromissione (IoC)


    Alcuni file e hash identificati nelle operazioni di Medusa:

    • !!!READ_ME_MEDUSA!!!.txt: file contenente la richiesta di riscatto.
    • openrdp.bat: script per abilitare RDP e connessioni remote.
    • pu.exe (80d852cd199ac923205b61658a9ec5bc): eseguibile per la creazione di shell remote.

    Email utilizzate per la negoziazione del riscatto:


    Mitigazioni


    Per proteggersi da Medusa e da altre minacce ransomware, FBI, CISA e MS-ISAC raccomandano di:

    • Mantenere aggiornati i sistemi con patch e fix di sicurezza.
    • Implementare l’autenticazione multi-fattore su tutti gli account critici.
    • Segmentare la rete per limitare il movimento laterale degli attaccanti.
    • Monitorare il traffico di rete per individuare comportamenti anomali.
    • Eseguire backup offline e testarne la ripristinabilità per garantire la continuità operativa.

    Medusa Ransomware rappresenta una minaccia persistente e sofisticata, capace di adattarsi alle difese delle aziende colpite. La consapevolezza e la prevenzione rimangono le armi più efficaci per contrastare questo tipo di attacchi. Per un approfondimento tecnico sui TTP di Medusa, si consiglia di consultare il report completo di FBI, CISA e MS-ISAC.

    Resta aggiornato su Red Hot Cyber per ulteriori analisi e aggiornamenti sulle minacce emergenti nel panorama della cybersecurity.

    L'articolo Nuovo report FBI: Medusa Ransomware colpisce 300 vittime in pochi mesi! proviene da il blog della sicurezza informatica.

  4. Happy Friday everyone!

    The Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation (FBI) have released a #cybersecurity advisory focusing on the #Ghost ransomware threat. They provide us with some updates to the TTPs and Behaviors on the groups activity and what we can hunt for!

    Behaviors (MITRE ATT&CK):
    Initial Access - TA0001
    Exploit Public-Facing Application - T1190 - the group exploited many CVEs to gain their initial foothold. They exploited Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE2021-34473, CVE-2021-34523, and CVE-2021-31207.

    Defense Evasion - TA0005
    Impair Defenses: Disable or Modify Tools - T1562.001 - Ghost
    frequently runs a command to disable Windows Defender on network connected devices.

    There are plenty of other technical and behavior artifacts in the report, so go check it out yourself! Enjoy and Happy Hunting!

    #StopRansomware: Ghost (Cring) Ransomware
    cisa.gov/news-events/cybersecu

    Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  5. StopRansomware: RansomHub Ransomware

    RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like Mimikatz for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. Data exfiltration varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 encryption and implements intermittent encryption. It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies.

    Pulse ID: 66d204f1d658869764c07d47
    Pulse Link: otx.alienvault.com/pulse/66d20
    Pulse Author: AlienVault
    Created: 2024-08-30 17:44:17

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AWS #CyberSecurity #Encryption #Extortion #InfoSec #OTX #OpenThreatExchange #Password #Phishing #PsExec #RAT #RDP #RansomWare #RansomwareAsAService #StopRansomware #Word #bot #AlienVault

  6. ESET Research reports that AceCryptor use surged in the second half of 2023. This included Remcos RAT campaigns for the first time, using compromised accounts for credibility in phishing emails. AceCryptor + Remcos campaigns targeted Poland, Bulgaria, Spain, and Serbia. Campaigns were described, MITRE ATT&CK TTPs and IOC provided. 🔗 welivesecurity.com/en/eset-res

    #AceCryptor #threatintel #IOC #Remcos #RemcosRAT #VidarStealer #Stopransomware #SmokeLoader

  7. OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.

    @allan @brett @BleepingComputer

    #ransomware #infosec

  8. OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.

    @allan @brett @BleepingComputer

    #ransomware #infosec

  9. OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.

    @allan @brett @BleepingComputer

    #ransomware #infosec

  10. OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.

    @allan @brett @BleepingComputer

    #ransomware #infosec

  11. OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.

    @allan @brett @BleepingComputer

    #ransomware #infosec

  12. ⚠️ Cuba Ransomware resources drop ⚠️

    A new ransomware advisory comes in hot to one of your intelligence channels – what are your next steps? In our latest video, we walk through our approach to a situation like this, which analysts face almost every day amid growing volumes of CTI shared in the community today youtube.com/watch?v=K1a6Mac1-y

    Link to the latest @CISA @FBI #StopRansomware alert on Cuba Ransomware, published Dec 1 (and updated just yesterday) cisa.gov/uscert/ncas/alerts/aa

    Past advisories on five other #ransomware highly active in targeting U.S. critical infrastructure – and many other – organizations just this year: cisa.gov/stopransomware/stopra

    According to the alert, “Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.” We’re likely to see more of this “TTP evolution” theme in 2023. As adversaries continue to evolve their TTPs rapidly and often, we had the chance to write more about this trend on our blog recently: tidalcyber.com/blog/adversary-

    (And here’s another piece covering TTP evolution relative to another top malware, QakBot tidalcyber.com/blog/identifyin)

    In the walkthrough, we highlight metrics around threats made on ransomware “extortion blogs” as just one public data point around Cuba’s growing threat in recent months. The figures come from this incredible public dataset github.com/joshhighet/ransomwa

    The rest of the walkthrough centers on our free Community Edition tool. Jump into it here: app.tidalcyber.com/. No registration is required to access a ton of features (including everything shared below) but you know the drill: you’ll ultimately find the most value with a quick email sign-up 📋

    #Cuba Ransomware details from #mitreattack app.tidalcyber.com/software/09

    Technique set for Cuba TTPs published in February app.tidalcyber.com/share/6fbf9 (source: mandiant.com/resources/blog/un)

    Cuba technique set based on CISA’s/FBI’s new alert: app.tidalcyber.com/share/11c63

    Script to quickly convert techniques & procedures from recent #CTI into a technique “layer” json file: github.com/mitre-attack/attack

    LSASS Memory technique details page, with pivots to aligned defensive capabilities, detection analytics, & tests: app.tidalcyber.com/technique/a

    Cuba Ransomware report referencing LSASS Memory & Disable or Modify Tools techniques: unit42.paloaltonetworks.com/cu

    Disable or Modify Tools technique details page: app.tidalcyber.com/technique/9

    Final Cuba Ransomware technique time series comparison/overlay: app.tidalcyber.com/share/7631b

    Dashboard we’re maintaining covering all TTPs from the #StopRansomware alert series, currently spotlighting six high-priority ransomware and updated each time CISA publishes a new alert: app.tidalcyber.com/share/9c1f0

    Join the Tidal Community Slack channel to engage with & learn from others throughout the #threatinformeddefense space join.slack.com/t/tidalcommunit

    Catch this and other walkthroughs on the @tidal Cyber YouTube channel youtube.com/@tidalcyber6071

    #cyberthreatintelligence #cybersecurity #OSINT #SharedWithTidal