Russian Ransomware Group Hacked US News Company

The Russian based group Evil Corp, also known as the Dridex gang and TA505, successfully hacked into dozens of US newspaper websites owned by the same company. Their aim was to infect the employees of over 30 major US private firms using fake software update alerts displayed by the malicious SocGholish JavaScript-based framework.

The Evil Corp a large cybercrime group, originally known for its use of the Dridex banking Trojan, is now using new ransomware called WastedLocker, demanding ransom payments of $500,000 to $1 million, according to security researchers.

The gang sent phishing emails with fraudulent messages about a software update to employees of each newspaper. These emails contained the SocGholish fake update framework, which can deliver malicious payloads, according to Symantec, who did not name the newspapers affected. The employees' computers were used as a stepping point into their companies' enterprise networks as part of what looks like a series of targeted drive-by attacks.

Symantec has confirmed that "dozens of US newspaper websites owned by the same parent company have been compromised by SocGholish injected code."

Had the attacks succeeded, the victims would have likely lost millions of dollars in downtime and damages. The attacks could also have had a cascading effect on the US supply chain, Symantec said. Evil Corp. is a well-known threat actor believed responsible for attacks, including those associated with Dridex and Zeus ransomware samples, that have cumulatively cost victims hundreds of millions of dollars in damages.

A US federal court last year indicted two members of the gang on charges related to their long-standing criminal campaigns. Both remain at large, one of them with a $5 million US reward on his head.

Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group. “As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses,” the US Justice Department said in a statement last year.

Evil Corp specialises in targeting the US and British financial services sector through their use of the Dridex malware and is thought to have stolen at least US $100 million to date.

Symantec researchers discovered at least 150 legitimate but previously hacked websites that were being used to host SocGholish and to download it on systems belonging to visitors to these sites. They notified the organisation of the issue and the malicious code has since been removed. The fact that as many as 31 of Symantec's enterprise customers were targeted in the attacks suggests that Evil Corp.'s overall WastedLocker campaign is very broad in scope, Symantec noted.

The NCC Group, which has also been tracking the WastedLocker campaign, has described it as targeted and beginning in May 2020. According to researchers from both Symantec and NCC Group, the attackers from Evil Corp. have been using a combination of custom tools and legitimate processes and services to deploy the ransomware to communicate with command-and-control servers and to move laterally on infected networks.

The Evil Corp has been active since  2007 and it distributed the Dridex malware toolkit later used to spread other threat actors' malware payloads. They were also involved in the distribution of Locky ransomware, as well as their own ransomware strain known as BitPaymer until 2019.

How WastedLocker Works

Once downloaded onto a network, the new WastedLocker malware searches for and targets the system's removable, fixed, shared and remote drives to help minimise the chances that the victim can recover through backups. For each encrypted file, the attackers create a separate file that contains the ransomware note. It then appends the encrypted file's extension with an abbreviation of the target's name and the word "wasted."

Symantec:        Dark Reading:       Bleeping Computer:       Bank Infosecurity:      Information Security Buzz

Duo:      NCC:    ZDNet:  

You Might Also Read:

US Companies Hit With A New Ransomware Campaign:

 

« Cyber Warfare, Intelligence & Malware
Iran Threatens Retaliation For Cyber Attack At Nuclear Site »

Directory of Suppliers

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 5,000+ specialist service providers.

WEBINAR: How to achieve security visibility at scale in the AWS Cloud

WEBINAR: How to achieve security visibility at scale in the AWS Cloud

Thursday August 27, 2020: Join SANS and AWS Marketplace to learn how you can leverage solutions to create visibility at scale and allow you to do more with your data and improve your security posture.

Tenable Network Security

Tenable Network Security

Tenable Network Security - The Rise of the Business-Aligned Security Executive. Is your security operation aligned with the overarching goals of the business?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Somerdata

Somerdata

Somerdata provides specialist cybersecurity consulting, surveillance and communications solutions to Law Enforcement and security agencies worldwide.

International Association of Privacy Professionals (IAPP)

International Association of Privacy Professionals (IAPP)

The IAPP is the world's largest and most comprehensive global information privacy community and resource.

Hivelocity Hosting

Hivelocity Hosting

Hivelocity is a full service data center that provides Infrastructure as a Service, Colocation, Dedicated Servers and Cloud hosting solutions.

Secrays

Secrays

Secrays is a consulting firm providing information security, privacy and compliance services.

verify-U

verify-U

verify-U is a leading provider of online identification and verification services.

XignSYS

XignSYS

XignSys develops innovative password-free and user-friendly Authentication solutions and electronic signature systems for B2B and B2C applications.

Securmatic

Securmatic

SecurMatic is a Cyber Security Services Company that supports organizations to build cyber security into their operations that will reduce their overall exposure to cyber risk.

Quadible

Quadible

Quadible BehavAuth is an AI-platform that continuously authenticates the users, without the need of any input, by learning their behavioural patterns.

Zighra

Zighra

Zighra is a leading provider of On-Device AI solutions for continuous authentication and fraud detection on mobile and web applications.

Trusona

Trusona

Trusona is a pioneer and leader in passwordless two-factor authentication (2FA).

GM Security Technologies

GM Security Technologies

GM Security Technologies provides leading managed security services of the highest quality to every type of individual and organization in Puerto Rico, Caribbean and Latin America.

jobsDB.com

jobsDB.com

jobsDB Singapore is a search engine for jobs throughout Singapore.

Jacobs

Jacobs

Jacobs is at the forefront of the most important security issues today. We are inspired to be the best and deliver innovative, mission-focused outcomes that matter to our clients.