Russian Ransomware Group Hacked US News Company

Uploaded on 2020-07-24 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

The Russian based group Evil Corp, also known as the Dridex gang and TA505, successfully hacked into dozens of US newspaper websites owned by the same company. Their aim was to infect the employees of over 30 major US private firms using fake software update alerts displayed by the malicious SocGholish JavaScript-based framework.

The Evil Corp a large cybercrime group, originally known for its use of the Dridex banking Trojan, is now using new ransomware called WastedLocker, demanding ransom payments of $500,000 to $1 million, according to security researchers.

The gang sent phishing emails with fraudulent messages about a software update to employees of each newspaper. These emails contained the SocGholish fake update framework, which can deliver malicious payloads, according to Symantec, who did not name the newspapers affected. The employees' computers were used as a stepping point into their companies' enterprise networks as part of what looks like a series of targeted drive-by attacks.

Symantec has confirmed that "dozens of US newspaper websites owned by the same parent company have been compromised by SocGholish injected code."

Had the attacks succeeded, the victims would have likely lost millions of dollars in downtime and damages. The attacks could also have had a cascading effect on the US supply chain, Symantec said. Evil Corp. is a well-known threat actor believed responsible for attacks, including those associated with Dridex and Zeus ransomware samples, that have cumulatively cost victims hundreds of millions of dollars in damages.

A US federal court last year indicted two members of the gang on charges related to their long-standing criminal campaigns. Both remain at large, one of them with a $5 million US reward on his head.

Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group. “As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses,” the US Justice Department said in a statement last year.

Evil Corp specialises in targeting the US and British financial services sector through their use of the Dridex malware and is thought to have stolen at least US $100 million to date.

Symantec researchers discovered at least 150 legitimate but previously hacked websites that were being used to host SocGholish and to download it on systems belonging to visitors to these sites. They notified the organisation of the issue and the malicious code has since been removed. The fact that as many as 31 of Symantec's enterprise customers were targeted in the attacks suggests that Evil Corp.'s overall WastedLocker campaign is very broad in scope, Symantec noted.

The NCC Group, which has also been tracking the WastedLocker campaign, has described it as targeted and beginning in May 2020. According to researchers from both Symantec and NCC Group, the attackers from Evil Corp. have been using a combination of custom tools and legitimate processes and services to deploy the ransomware to communicate with command-and-control servers and to move laterally on infected networks.

The Evil Corp has been active since  2007 and it distributed the Dridex malware toolkit later used to spread other threat actors' malware payloads. They were also involved in the distribution of Locky ransomware, as well as their own ransomware strain known as BitPaymer until 2019.

How WastedLocker Works

Once downloaded onto a network, the new WastedLocker malware searches for and targets the system's removable, fixed, shared and remote drives to help minimise the chances that the victim can recover through backups. For each encrypted file, the attackers create a separate file that contains the ransomware note. It then appends the encrypted file's extension with an abbreviation of the target's name and the word "wasted."

Symantec:        Dark Reading:       Bleeping Computer:       Bank Infosecurity:      Information Security Buzz

Duo:      NCC:    ZDNet:  

You Might Also Read:

US Companies Hit With A New Ransomware Campaign:

 

« Cyber Warfare, Intelligence & Malware
Iran Threatens Retaliation For Cyber Attack At Nuclear Site »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Assure Technical

Assure Technical

Assure Technical offers a holistic approach to Technical Security. Our expertise and services span across the Physical, Cyber and Counter Surveillance domains.

Intelligence-sec

Intelligence-sec

Intelligence-Sec is a fully integrated Conferences and Exhibitions Company managing and producing topical events for the security industry.

Messageware

Messageware

Messageware is the market leader in securing, enhancing, and customizing Microsoft Exchange and Outlook Web App.

SparkCognition

SparkCognition

SparkCognition’s AI-powered solutions enhance cybersecurity, identify and prevent equipment failures before they happen, and provide prescriptive intelligence for maintaining your most critical assets

Blockchain Firm

Blockchain Firm

Blockchain Firm is a leading Blockchain based software solutions and service provider with our roots of expertise running deep into the technology.

Munich Re

Munich Re

Munich Re is a leading global provider of reinsurance, primary insurance and insurance-related risk solutions including Cyber.

SoloKeys

SoloKeys

SoloKeys provides the first open-source FIDO2 security key: Protect your online accounts against unauthorized access by using the most secure login method.

National Institute for Research & Development in Informatics (ICI Bucharest) - Romania

National Institute for Research & Development in Informatics (ICI Bucharest) - Romania

ICI Bucharest is the most important institute in the field of research, development and innovation in information and communication technology (ICT) in Romania.

NI Cyber Security Centre

NI Cyber Security Centre

NI Cyber Security Centre works to make Northern Ireland cyber safe, secure and resilient for its citizens and businesses.

Bright Pixel Capital

Bright Pixel Capital

Bright Pixel Capital is a venture capital company with a focus on Cybersecurity, Retail Technologies, Digital Infrastructure and Emerging Technologies.

Cybergroot

Cybergroot

Cybergroot provides Cybersecurity Assessment services and professional Information Security trainings.

Altospam

Altospam

Altospam is a full service corporate email protection, integrating multiple security levels for your emails.

ImmuneBytes

ImmuneBytes

ImmuneBytes is a cutting-edge security startup that aims to provide a secure blockchain environment for a dependable and open Web3 ecosystem.

Bluefin Payment Systems

Bluefin Payment Systems

Bluefin is the recognized integrated payments leader in encryption and tokenization technologies that protect payments and sensitive data.

Simbian

Simbian

Simbian, with its hardened TrustedLLM system, is the first to accelerate security by empowering every member of a security team from the C-Suite to frontline practitioners.

SentryMark

SentryMark

Stay a Step Ahead of Emerging Threats. Deviate from the traditional siloed defenses and get the proactive and responsive cybersecurity solutions and services you deserve with SentryMark today.