The Federal Bureau of Investigation (FBI), the Cybersecurity and Information Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) this week issued an alert on the LockBit 3.0 ransomware operation. Since January 2020, LockBit has functioned based on the ransomware-as-a-service (RaaS) model, targeting a broad range of businesses and critical infrastructure entities and using a variety of tactics, techniques, and procedures (TTPs). Also referred to as LockBit Black, LockBit 3.0 has a more modular architecture compared to its previous variants, and supports various arguments that modify its behavior after deployment. To hinder analysis and detection, LockBit 3.0 installers are encrypted, and can only be executed if a password is supplied, the FBI, CISA, and MS-ISAC explain in a joint advisory. The malware also supports specific arguments for lateral movement, can reboot systems in Safe Mode, and performs a language check at runtime to avoid infectin

Cisco has confirmed data Yanluowang ransomware gang published on its leak site was indeed stolen from the firm during the May cyberattack. The firm’s network was breached after hackers compromised an employee's VPN account. Even so, the tech giant affirms the leak has no impact on its business, as originally assessed. Image: Cisco   According to the company, the stolen records comprised non-sensitive files from the employee’s Box folder. However, the attack was contained before Yanluowang ransomware could start encrypting systems. “On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed,” explained Cisco. “Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services

Security researchers have linked multiple ransomware campaigns to DEV–0270 (also known as Nemesis Kitten). The threat actor, widely considered a sub–group of Iranian actor PHOSPHORUS, conducts various malicious network operations on behalf of the Iranian government, according to a new write–up by Microsoft. However, judging from the threat actor’s geographic and sectoral targeting (which often lacked a strategic value for the regime), Microsoft also speculated that some of DEV–0270’s attacks might be a form of moonlighting for personal or company–specific revenue generation. From a technical standpoint, the tech giant said DEV–0270 leverages exploits, particularly for newly disclosed high–severity vulnerabilities, to gain access to devices. “DEV–0270 also extensively uses living–off–the–land binaries (LOLBins) throughout the attack chain for discovery and credential access. This extends to its abuse of the built–in BitLocker tool to encrypt files on compromised devices,” the Microsoft

A new info-stealer malware is spreading rapidly in the wild as the developer behind it continues to add capabilities and recently released the source code on GitHub . In addition, the Windows software nasty – dubbed Luca Stealer by the folks at Cyble who detected it – is the latest to be built using the Rust programming language. The researchers wrote in a report that Luca Stealer already has been updated three times, with the developer adding multiple functions, and that they have seen more than 25 samples of the source code in the wild since it was shared via GitHub on July 3, which may lead to wider adoption by the cybercriminal community. "The developer of the stealer appears to be new on the cybercrime forum and likely leaked the source code of the stealer to build a reputation for themselves," the researchers wrote. "The developer has also provided the steps to modify the stealer and compile the source code for ease of use." They noted that Rust is becoming

Global ransomware volumes shrunk by 23% year-on-year (YoY) in the first half of 2022, but overall malware surged by 11% over the period, according to new data from SonicWall. The mid-year update to the firm’s 2022 SonicWall Cyber Threat Report is based on analysis of one million security sensors in over 200 countries, as well as third-party sources. The 2.8 billion malware attacks detected in the first half of 2022 represent the first recorded growth in global malware volumes in three years, according to SonicWall. Although ransomware volumes dipped to 236 million, they surged in Europe (63%), which also saw a 29% YoY increase in overall malware attacks. “As bad actors diversify their tactics, and look to expand their attack vectors, we expect global ransomware volume to climb – not only in the next six months, but in the years to come,” said SonicWall CEO and president, Bill Conner. “With so much turmoil in the geopolitical landscape, cybercrime is increasingly becoming more sophistic

The prolific Lockbit ransomware gang appears to have claimed another two scalps in recent days: the Canadian town of St Marys and the Italian tax agency. The local administration at St Marys explained in an update on Friday that the attack occurred last Wednesday, locking an internal server and encrypting data on it. “Upon learning of the incident, staff took immediate steps to secure any sensitive information, including locking down the town’s IT systems and restricting access to email. The town also notified its legal counsel, the Stratford Police Service and the Canadian Centre for Cyber Security,” a statement read . “The town is now working with cyber incident response experts to investigate the source of the incident, restore its back up data and assess the impacts on its information, if any. These experts are also assisting staff as they work to fully unlock and decrypt the town’s systems, a process that could take days.” Critical local services, including fire, police, transit a